Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Four advisories included in Microsoft patch

15 January, 2014
The first 2014 patch update from Microsoft has solicited mixed industry reaction with just four advisories issued

With a quiet start to the 2014 season, IT Administrators may seem free to relax this month as Microsoft releases just four advisories in its monthly "Patch Tuesday" for January. MS14-001, 002, 003 and 004 are all marked as important but the concensus of opinion is the patch number 002 is the priority as it addresses issues associated with kernel elevation of privilege.

In all cases, Trustwave recommends applying all the patches as soon as possible. The company's Director of Security Research, Ziv Mador explained:

"Two of the vulnerabilities result in a privilege elevation and a third involves remote code execution utilising an Office document. On their own these vulnerabilities might not be critical, but combined they can be much more serious. If an attacker used a malicious Office document to execute code that takes advantage of the privilege elevation vulnerability, then a phishing email to an unsuspecting user would be all that's necessary. One researcher has seen this type of combined attack in the wild actually using one of this month's bulletins, MS14-002 (CVE-2013-5065), as part of the attack. Although it uses Adobe Reader instead of Office, the attack vector would be similar".

Rapid7's Ross Barrett favours prioritisation and recommends the application of the 002 privilege elevation vulnerability patch first for Windows XP and 2003 systems as this was disclosed as far back as November and has seen some limited exploitation already. Following the 002 patch, users should then apply 001 and 003 if applicable.

According to Ross Barrett, "If you are worried about 002 and not 003, you are likely going to have some problems come April when support ends for Windows XP. Patch the DoS in MS Dynamics when you are really bored sometime… no, just kidding.  If you have Dynamics in your environment, don’t overlook this patch.  It’s the type of system where downtime can have a material cost to your business.”

An IE roll up patch is noticeable by its absence this month and Ross believes that despite the busy IE roll up season in 2013, it's not over yet and more is likely to be seen so expect such a patch in February.

Tripwire's Tyler Reguly agrees that the most important patch this month is 002. He said, "This bulletin resolves a known privilege escalation that has been used in conjunction with Adobe exploits to escape the sandbox and gain system level access. This patch should be at the top of everyone's priority lists."

The "light patch" from Microsoft however, has been somewhat eclipsed by updates from other vendors. According to Trypwire's security research and development manager, "Microsoft and Adobe has been mostly synchronized for a while now and that has made security teams’ lives easier. I was, however, shocked to see Oracle jumping on the bandwagon this month. Here's hoping large enterprises have everything in place to handle the sheer volume of patches coming out today. With three major vendors releasing content, this is definitely a time to have solid vulnerability management program in place."

Bookmark and Share