Microsoft will release its lightest Patch Tuesday next week, with only four patches released.
Covering vulnerabilities in Windows, Office and Dynamics AX, all three are rated as “important”. The Office patch affects a remote code execution issue, the two Windows patches are both for elevation of privilege and the Dynamics AX is for a denial of service flaw.
Wolfgang Kandek, CTO of Qualys, said it expects one of the Windows patches to address the zero-day vulnerability CVE-2013-5065 in Windows XP and 2003, which has seen limited attacks since the end of November of last year. “These attacks have been coming in through PDF documents using an already fixed vulnerability of Adobe Reader and users of updated versions, i.e post APSB13-15 from May of 2013 should be immune to this attack vector,” he said.
Ross Barrett, senior manager of security engineering at Rapid7, said: “The second bulletin, likely MS14-002, will address the somewhat awaited kernel elevation of privilege issues known as CVE-2013-5065, which was reported and disclosed back in November with some limited exploitation in the wild. The issue only affects Windows XP and 2003 systems, but if you are running those I would consider this something to patch quickly.
“The third bulletin is another elevation of privilege issue affecting Windows 7 and 2008, so if you dodged a bullet with CVE-2013-5065, you are still impacted by this one. No getting out of it this month.
The fourth bulletin is a denial of service in the seldom seen Microsoft Dynamics product. This is about as marginal a concern as you can get to in terms of MS advisories.
It’s a pretty easy prioritisation this month. Patch MS14-001, then whichever of 002 or 003 apply to you. Patch the DoS in MS Dynamics when you are really bored sometime… no, just kidding. If you have Dynamics in your environment, don’t overlook it. It’s the type of system where downtime can have a material cost to your business.”
Andrew Storms, director of dev ops for CloudPassage, made the point that Microsoft will not be issuing a patch for Explorer this month, potentially for the first time in an over a year. Barratt said: “For the first time in a while, there is not a cumulative IE roll up patch. This must be an indication that the IE team was finally allowed to take some time off over the holidays in light of the gruelling 2013 they put in. Expect them back in February, no doubt.”
Kandek said: “While there is no update for Internet Explorer, taking care of your browser should still be among your highest priority items. Running the most updated browser version is the best way to deal with the web based attacks, which have increased their heft in 2013.”
Lamar Bailey, director of security R&D at Tripwire, said: “Take note there is no IE bulletin this month as that is a rare occurrence lately and on the OS front there are no patches for the latest operating systems – only XP, win 7 and Server 2008.
“The only real interesting bulletin is the Office bulletin that fixes remote code execution issues. Looks like the Polar Vortex froze the MS patch machine this month but we are not complaining.”