Monday 20 January 2014

Oracle Joins Adobe, Microsoft in Giant January Patch Tuesday

Image via Flickr user Dan Dickinson It's a trifecta of software patches, with Microsoft, Adobe, and Oracle all releasing security updates on the same day.
As expected, Microsoft started off 2014 with a fairly light Patch Tuesday release, fixing six not-so-critical vulnerabilities across four security bulletins. On the same day, Adobe issued two critical updates fixing three critical remote code execution flaws in Adobe Reader, Acrobat, and Flash. A scheduling quirk meant Oracle's quarterly Critical Patch Update also fell on the same Tuesday, resulting in a huge volume of patches for IT administrators to deal with. Oracle fixed 144 vulnerabilities across 40 products, including Java, MySQL, VirtualBox, and its flagship Oracle database.
"While Microsoft is only releasing four updates, there is plenty of work for IT administrators due to releases by Adobe and Oracle," said Wolfgang Kandek, CTO of Qualys.
The Java patches from Oracle should be highest priority, followed by the Adobe Reader and Flash advisories, and then the Microsoft Word and XP updates, experts said.
Oracle Takes on JavaEven taking into account that Oracle patches quarterly and is fixing more products, this CPU is still a record-breaker in the number of issues fixed. Of the 144 security flaws, 82 could be considered critical as they may be exploited remotely without authentication.
The majority of the vulnerabilities addressed in Oracle's gargantuan CPU were in Java v7. Oracle fixed 34 remote execution flaws, with several scoring 10 on the Common Vulnerability Scoring System scale. CVSS indicates the seriousness of the flaw and the likelihood of the attacker gaining total control of the system.
Java was one of the most attacked softwares in 2013 and experts warned it will continue to be a popular target. If you don't use it, uninstall it. If you need to have Java installed, at least disable it in the Web browser, since all the attacks thus far have attacked the browser. If you do access Web applications that require Java, keep it on a different Web browser than your default one and switch when necessary. If you don't need it, don't keep it. If you do keep it, patch immediately.
Oracle also fixed five security flaws in its own Oracle database, one of which can be exploited remotely, and 18 vulnerabilities in MySQL. Three of those bugs could be attacked remotely and had the maximum CVSS score of 10. Server software Solaris had 11 flaws, including one which could be attacked remotely. The most serious Solaris bug had a CVSS score of 7.2. The CPU addressed nine issues in Oracle Virtualization Software, which includes virtualization software VirtualBox, of which four could be triggered remotely. The maximum CVSS score was 6.2.
If you are running any of these products, it is important to update them immediately. MySQL is widely used as the back-end system for a number of popular CMS and forum software, including WordPress and phpBB.
Reader and Flash FixesAdobe fixed security issues in Adobe Flash, Acrobat, and Reader, which if exploited, would give attackers total control of the target system. The attack vector for the Acrobat and Reader bug was a malicious PDF file. The Flash flaw could be exploited by visiting malicious Web pages or opening documents with embedded Flash objects.
If you have background updates turned on for Adobe products, the updates should be seamless. Users with Google Chrome and Internet Explorer 10 and 11 will not have to worry about the new version of Flash as the browsers will update the software automatically.
Light Microsoft UpdateMicrosoft fixed a file format vulnerability in Microsoft Word (MS14-001) that can be exploited remotely if the user opens a booby-trapped Word file. It affects all Microsoft Word versions on Windows, including Office 2003, 2007, 2010, and 2013, as well as Word document viewers. Mac OS X users are not affected.
The zero-day vulnerability (CVE-2013-5065) affecting Windows XP and Server 2003 systems that was discovered in the wild last November has finally been patched (MS14-002). Although the privilege escalation flaw in NDProxy cannot be executed remotely, it should be high-priority because it can be combined with other vulnerabilities. The attacks in November used a malicious PDF document to first trigger a flaw in Adobe Reader (which was patched May 2013 in APSB13-15) in order to access the Windows kernel bug. Microsoft fixed a similar privilege escalation flaw in Windows 7 and Server 2008 (MS14-003).
"If you are worried about 002 and not 003, you are likely going to have some problems come April when support ends for Windows XP," Rapid7 said.
On their own these vulnerabilities might not be critical, but combined they can be much more serious, Trustwave warned. If a campaign using a malicious Office document executed code targeting the privilege elevation bug, "then a phishing email to an unsuspecting user would be all that's necessary," the team said.

No comments:

Post a Comment