Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patch Tuesday Quiet, But Adobe Issues Critical Security Updates

In the world of Microsoft security updates, 2014 is starting off softly.

In the world of Microsoft security updates, 2014 is starting off softly.

The company issued just four updates today for Patch Tuesday, none of which reached its highest severity rating of ‘critical.’ That does not mean the patches can be ignored however.

“Our top deployment priority for this month is MS14-002, which addresses a publicly known issue in the Windows Kernel,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.

“This bulletin addresses the issue first described in Security Advisory 2918840, which allows an attacker to perform an elevation of privilege if they are able to log on to a system and run a specially crafted application,” Childs continued. “We are aware of targeted attacks using this vulnerability, where attackers attempt to lure someone into opening a specially crafted PDF to access the system. Even when we first saw this, the PDF portion of the attack did not affect those with a fully updated system.”

In addition to MS14-002, there is a separate privilege escalation issue addressed by MS14-003 that impacts Windows kernel-mode drivers. The other two security bulletins affect Microsoft Dynamic AX and Microsoft Word and Office Web apps.

“It’s a pretty easy prioritization this month, patch MS14-002 if it applies to you, then 001 [Microsoft Office] and 003 if it also applies,” advised Ross Barrett, senior manager of security engineering at Rapid7. “If you are worried about 002 and not 003, you are likely going to have some problems come April when support ends for Windows XP.”

“If you have Dynamics in your environment, don’t overlook this patch,” he added. “It’s the type of system where downtime can have a material cost to your business.”

But even though IT admins do not have much to do this month on the Microsoft update front, there are other security updates that were released today that can help fill the gap. Among them are patches from Adobe Systems for Adobe Reader, Acrobat and Flash Player. The Reader and Acrobat XI (11.0.05) and earlier updates are for Windows and Mac computers. According to Adobe, the updates address issues that could cause a crash and potentially allow an attacker to take control of the affected system.

In the case of the Flash Player vulnerabilities, the updates are for versions 11.9.900.170 and earlier for Windows and Mac, and Flash Player and earlier versions for Linux. The vulnerabilities could potentially allow an attacker to take control of the affected system.

None of the vulnerabilities are known to be under attack, according to Adobe.

Separately, BlackBerry issued a warning today that its newest smartphones and tablets are at risk of remote code execution attacks via vulnerabilities in Adobe Flash Player. According to the security advisory, a malicious hacker could booby-trap Adobe Flash content and lure users into visiting rigged Web pages or downloading Adobe Air applications.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.