Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Plans Quiet Patch Tuesday for January

Microsoft is starting out the new year quietly with just four security bulletins planned for Patch Tuesday.

Microsoft is starting out the new year quietly with just four security bulletins planned for Patch Tuesday.

None of the bulletins are rated ‘Critical’; instead, all of them are classified as ‘Important.’ Just one of the bulletins addresses a remote code execution vulnerability. That particular bulletin impacts Microsoft Office and Server Software. Of the remaining bulletins, one addresses a denial-of-service condition, while the other two impact privilege escalation issues.

Microsoft Logo

Slated to be included in the release is a fix for a vulnerability reported in November that has been the subject of limited, targeted attacks.

“The update provided in MS14-002 fully addresses the issue first described in Security Advisory 2914486,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own. This only impacts customers using Windows XP or Server 2003 as more recent Windows versions are not affected.”

Besides Office and Server Software, the other updates will be targeted at Windows and Microsoft Dynamics AX.

“2014 is getting off to a light start with Microsoft,” said Ross Barrett, senior manager of security engineering at Rapid7.

“It’s a pretty easy prioritization this month. Patch MS14-001, then whichever of 002 or 003 apply to you,” he said. “Patch the DoS [denial-of-service] in MS Dynamics when you are really bored sometime… no, just kidding.  If you have Dynamics in your environment, don’t overlook it.  It’s the type of system where downtime can have a material cost to your business.”

The updates will be released Jan. 14 at 10 a.m. PST.

“Looks like a pretty low key week,” said Ken Pickering, director of engineering at CORE Security. “There’s one remote code execution on Office, which may be an issue for Office users. Also, there’s a couple patched escalation of privilege patches for Windows 2003/XP, which is an old operating system and shouldn’t surprise anyone. There’s a DoS attack against Microsoft Dynamics AX, but it doesn’t look too severe. All and all, this week after the holidays is a quiet one in regards to patching.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.