Get ready for a bigger-than-usual Patch Tuesday this month.
October is one of Oracle’s Critical Patch Update (CPU) months, and there are usually more fixes in a CPU than there are Bulletins in the average Microsoft or Adobe update.
That’s because Oracle buffers up its fixes for a quarter at a time, instead of patching every month.
Oracle also publishes its patches on the Tuesday closest to the middle of the month, which often gives you a week’s breathing space after Microsoft and Adobe go live on the second Tuesday.
But October 2014 starts on a Wednesday, which pushes the second Tuesday far enough into the month to co-incide with Oracle’s “mid-month” calendar calculations.
As a result, Oracle, Adobe and Microsoft patches are all arriving together on Tuesday 14 October 2014.
Bumper Oracle crop
Simply put, there are lots of Oracle patches coming, with “155 new security vulnerability fixes across hundreds of Oracle products”.
As usual, the Oracle update that will affect the most people is the one for Java.
There are 25 security fixes for Java alone, of which Oracle states that 22 “may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”
In brief, that means that with Java enabled in your browser, merely visiting a web page in which a crook has concealed a malicious Java applet could be enough to infect you with malware, with no pop-ups, warnings or other tell-tale signs of criminal activity.
→ Don’t read too much into the absolute count of fixes. A Java update with 25 fixes isn’t necessarily five times worse, or five times more panic-worthy, that an update closing 5 holes. Indeed, a 25-fix patch might be five times better than a 5-fix patch, because it implies better success hunting down bugs.
Although we’ve said this many times before, we thought we’d better remind you again:
- You can turn off Java in your browser without removing Java altogether from your computer. This means you can run pre-installed Java applications without exposing your browser to the much greater risk of Java applets, which are mini-apps delivered automatically inside web pages.
Microsoft to publish 9 bulletins
This month, Microsoft will be publishing nine updates across multiple products, including: Windows itself, Internet Explorer, Office, and the Microsoft Developer Tools (Visual Studio).
Five of the nine patches are listed as fixing Remote Code Execution (RCE) holes, typically the sort of bug that Oracle described above as “remotely exploitable without authentication,” and that Adobe warned could “potentially allow an attacker to take over the affected system.”
Interestingly, only three of the five RCE bugs are rated critical by Microsoft, even though you might assume that any RCE ought to be considered critical almost as a matter of definition.
We shan’t know why until the patches have actually been published and the details officially revealed, but a reasonable guess is that the non-critical RCEs can only be triggered by users who have already logged in.
That would mean that these holes wouldn’t count as “remotely exploitable without authentication,” thus reducing their risk significantly.
Server Core affected
Most notable in this month’s set of Microsoft updates is that even your Server Core Installations will be getting critical patches.
Server Core versions of Windows are stripped down to a lean set of essential system software, sufficient to run vital services such as DHCP and DNS, but not enough to support software such as Internet Explorer (or, indeed, any other browser), Office, Reader or Flash.
That greatly reduces the attack surface area, and with less to go wrong, Server Core systems typically require fewer patches, especially critical patches.
However, all Server Core flavours will get at least one critical fix this month, and will require a reboot.
Don’t forget to schedule those outages for the DHCP and DNS servers on your network!
5 comments on “Patch Tuesday for October 2014 – bigger than usual as Microsoft, Adobe and Oracle align”
Adobe should push security updates according to their patch schedule. However, the links you’ve posted deal with vulnerabilities they patched last month. Furthermore, one of the links you posted is broken. The PSIRT blog does not have any info about what to expect for October at the moment.
Heck, I thought those Adobe bulletin numbers looked familiar 🙂
Sorry about the anachronism…I’ve simply removed the Adobe info until I have something more to go on.
Many thanks for the heads up Paul.
Mozilla should also be releasing Firefox 33 tomorrow. If you are a Tor user, a new browser bundle containing an updated Firefox ESR should also be available shortly after (usually within 1 to 2 days) Mozilla issues an update.
I hope this helps.
Can You pick the ones that You don’t need, For instance I have Java turned off and I don’t need the fixes, But because it is by Oracle? Will I still need to get them? I do have Java script by Oracle. I am confused. Now Concerned Citizen said, as have You Paul, that they are from last Month and are broken. Thank You for Your help, and the heads up Paul. Much appreciated.
Many thanks for your question.
I also have Java turned off in the browser but since I have Java applications installed I will be installing the Java updates when they become available later today. Right now I have Java SE version Update 20 installed (sometimes the JRE (Java Runtime Environment).
While I do not have Java enabled in the browser vulnerable code will be present on my system if I don’t update. In addition not all the fixes may be for Java being used in the browser, some may be for the Java applications installed on your computer (if you have any).
If you are using Windows or Microsoft Office, you will need some of the updates from Microsoft. If you are using Adobe Flash, you will need that update too.
I hope the above explanation is of assistance to you. If you have any other questions, please feel free to ask. Have a good day.