Microsoft released its lightest patch bundle in over a year last night, addressing four important issues in Windows, Office, and Dynamics AX.
Despite only being rated as important, Microsoft rated MS14-002 as the priority, as this addresses a publicly known issue in the Windows Kernel.
Ross Barrett, senior manager of security engineering at Rapid7, said: “MS14-002, addresses the somewhat awaited kernel elevation of privilege issues known as CVE-2013-5065, which was reported and disclosed back in November with some limited exploitation in the wild. The issue only affects Windows XP and 2003 systems, but if you are running those I would consider this something to patch quickly.”
Despite the small number of patches, Wolfgang Kandek, CTO of Qualys described this as “plenty of work for IT administrators due to releases by Adobe and Oracle”. Talking about MS14-002, he said: “The vulnerability is a local Escalation of Privilege, so it can only be used by an attacker who is already on the machine as a standard user and needs to gain administrative rights.
“Microsoft first acknowledged its existence on 27th November in KB2914486 and indicated that it was used in a small number of targeted attacks that used a patched vulnerability in Adobe Reader (APSB13-15 from May 2013) as a delivery vehicle.”
Tyler Reguly, security research and development manager for Tripwire, called this the “only interesting patch” as it was used in conjunction with Adobe exploits to escape the sandbox and gain system level access.
“Microsoft and Adobe has been mostly synchronised for a while now and that has made security teams’ lives easier. I was, however, shocked to see Oracle jumping on the bandwagon this month. Here’s hoping large enterprises have everything in place to handle the sheer volume of patches coming out today. With three major vendors releasing content, this is definitely a time to have solid vulnerability management program in place,” he said.
Oracle addressed 144 vulnerabilities in its Critical Patch Update (CPU) for January 2014, with the majority of vulnerabilities in Java v7. Adobe is releasing two critical updates: APSB14-01 is an update to Adobe Acrobat and Reader, with an attack vector being a PDF file; and APSB14-02 is an update to Adobe Flash, which has the typical attack vectors of malicious web pages and documents with embedded Flash objects.