Patch Tuesday for October 2014 – bigger than usual as Microsoft, Adobe and Oracle align

Get ready for a bigger-than-usual Patch Tuesday this month.

October is one of Oracle’s Critical Patch Update (CPU) months, and there are usually more fixes in a CPU than there are Bulletins in the average Microsoft or Adobe update.

That’s because Oracle buffers up its fixes for a quarter at a time, instead of patching every month.

Oracle also publishes its patches on the Tuesday closest to the middle of the month, which often gives you a week’s breathing space after Microsoft and Adobe go live on the second Tuesday.

But October 2014 starts on a Wednesday, which pushes the second Tuesday far enough into the month to co-incide with Oracle’s “mid-month” calendar calculations.

As a result, Oracle, Adobe and Microsoft patches are all arriving together on Tuesday 14 October 2014.

Bumper Oracle crop

Simply put, there are lots of Oracle patches coming, with “155 new security vulnerability fixes across hundreds of Oracle products”.

As usual, the Oracle update that will affect the most people is the one for Java.

There are 25 security fixes for Java alone, of which Oracle states that 22 “may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”

In brief, that means that with Java enabled in your browser, merely visiting a web page in which a crook has concealed a malicious Java applet could be enough to infect you with malware, with no pop-ups, warnings or other tell-tale signs of criminal activity.

→ Don’t read too much into the absolute count of fixes. A Java update with 25 fixes isn’t necessarily five times worse, or five times more panic-worthy, that an update closing 5 holes. Indeed, a 25-fix patch might be five times better than a 5-fix patch, because it implies better success hunting down bugs.

Although we’ve said this many times before, we thought we’d better remind you again:

  • You can turn off Java in your browser without removing Java altogether from your computer. This means you can run pre-installed Java applications without exposing your browser to the much greater risk of Java applets, which are mini-apps delivered automatically inside web pages.
  • You can turn off Java in your browser without turning off JavaScript. They are not the same. Many of the websites you use probably do require JavaScript, so turning it off could be problematic. But few websites in 2014 still require Java – ironically, because JavaScript now does most of what Java used to be used for.

Microsoft to publish 9 bulletins

This month, Microsoft will be publishing nine updates across multiple products, including: Windows itself, Internet Explorer, Office, and the Microsoft Developer Tools (Visual Studio).

Five of the nine patches are listed as fixing Remote Code Execution (RCE) holes, typically the sort of bug that Oracle described above as “remotely exploitable without authentication,” and that Adobe warned could “potentially allow an attacker to take over the affected system.”

Interestingly, only three of the five RCE bugs are rated critical by Microsoft, even though you might assume that any RCE ought to be considered critical almost as a matter of definition.

We shan’t know why until the patches have actually been published and the details officially revealed, but a reasonable guess is that the non-critical RCEs can only be triggered by users who have already logged in.

That would mean that these holes wouldn’t count as “remotely exploitable without authentication,” thus reducing their risk significantly.

Server Core affected

Most notable in this month’s set of Microsoft updates is that even your Server Core Installations will be getting critical patches.

Server Core versions of Windows are stripped down to a lean set of essential system software, sufficient to run vital services such as DHCP and DNS, but not enough to support software such as Internet Explorer (or, indeed, any other browser), Office, Reader or Flash.

That greatly reduces the attack surface area, and with less to go wrong, Server Core systems typically require fewer patches, especially critical patches.

However, all Server Core flavours will get at least one critical fix this month, and will require a reboot.

Don’t forget to schedule those outages for the DHCP and DNS servers on your network!