In the world of Microsoft security updates, 2014 is starting off softly.
The company issued just four updates today for Patch Tuesday, none of which reached its highest severity rating of ‘critical.’ That does not mean the patches can be ignored however.
“Our top deployment priority for this month is MS14-002, which addresses a publicly known issue in the Windows Kernel,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.
“This bulletin addresses the issue first described in Security Advisory 2918840, which allows an attacker to perform an elevation of privilege if they are able to log on to a system and run a specially crafted application,” Childs continued. “We are aware of targeted attacks using this vulnerability, where attackers attempt to lure someone into opening a specially crafted PDF to access the system. Even when we first saw this, the PDF portion of the attack did not affect those with a fully updated system.”
In addition to MS14-002, there is a separate privilege escalation issue addressed by MS14-003 that impacts Windows kernel-mode drivers. The other two security bulletins affect Microsoft Dynamic AX and Microsoft Word and Office Web apps.
“It’s a pretty easy prioritization this month, patch MS14-002 if it applies to you, then 001 [Microsoft Office] and 003 if it also applies,” advised Ross Barrett, senior manager of security engineering at Rapid7. “If you are worried about 002 and not 003, you are likely going to have some problems come April when support ends for Windows XP.”
“If you have Dynamics in your environment, don’t overlook this patch,” he added. “It’s the type of system where downtime can have a material cost to your business.”
But even though IT admins do not have much to do this month on the Microsoft update front, there are other security updates that were released today that can help fill the gap. Among them are patches from Adobe Systems for Adobe Reader, Acrobat and Flash Player. The Reader and Acrobat XI (11.0.05) and earlier updates are for Windows and Mac computers. According to Adobe, the updates address issues that could cause a crash and potentially allow an attacker to take control of the affected system.
In the case of the Flash Player vulnerabilities, the updates are for versions 11.9.900.170 and earlier for Windows and Mac, and Flash Player 11.2.202.332 and earlier versions for Linux. The vulnerabilities could potentially allow an attacker to take control of the affected system.
None of the vulnerabilities are known to be under attack, according to Adobe.
Separately, BlackBerry issued a warning today that its newest smartphones and tablets are at risk of remote code execution attacks via vulnerabilities in Adobe Flash Player. According to the security advisory, a malicious hacker could booby-trap Adobe Flash content and lure users into visiting rigged Web pages or downloading Adobe Air applications.