This month we have patches from Adobe, Microsoft and Oracle launching today:
Microsoft published their monthly advanced notification for critical and important patches, and this month there are four patches:
- MS14-001 - Rated Important - affects Microsoft Office and Microsoft Server Software: may allow remote code execution. Patch may require a reboot.
- MS14-002 - Rated Important - affects Windows: may allow elevation of privilege. Patch requires a reboot.
- MS14-003 - Rated Important - affects Windows: may allow elevation of privilege. Patch requires a reboot.
- MS14-004 - Rated Important - affects Microsoft Dynamics AX: may cause a Denial of Service. Patch may require a reboot.
Adobe's update addresses issues with their popular PDF applications Reader and Acrobat. These updates affect the following products:
- Adobe Reader XI (11.0.05 and earlier) for Windows and Mac OS X
- Adobe Reader X (10.1.8 and earlier) for Windows and Mac OS X
- Adobe Acrobat XI (11.0.05 and earlier) for Windows and Mac OS X
- Adobe Acrobat XI (10.1.8 and earlier) for Windows and Mac OS X
Adobe's updates are rated priority level 1 (critical) and address three issues (CVE-2014-0493, CVE-2014-0495 and CVE-2014-0496). All three vulnerabilities, if exploited, could lead to remote code execution; meaning simply by opening a PDF file that is designed to exploit these vulnerabilities, you will likely become victim to a malware infection.
Oracle's patch announcement is by far the largest of the three companies - 40 patches which impact 46 different products. Of the 144 vulnerabilities being patched, over 80 of them are rated critical.
Arguably the most important set of patches announced by Oracle are patches impacting their Java environment. Attackers exploiting these vulnerabilities may be able to deliver malware to unpatched computers.
You can read Oracle's patch announcement here.
As always, it's important to roll these patches out as quickly as possible, especially when so many of these can allow remote code execution. Cybercriminals are quick to add freshly-patched exploits to their Exploit Kits in order to infect slow patchers.