Microsoft is starting out the new year quietly with just four security bulletins planned for Patch Tuesday.
None of the bulletins are rated ‘Critical’; instead, all of them are classified as ‘Important.’ Just one of the bulletins addresses a remote code execution vulnerability. That particular bulletin impacts Microsoft Office and Server Software. Of the remaining bulletins, one addresses a denial-of-service condition, while the other two impact privilege escalation issues.
Slated to be included in the release is a fix for a vulnerability reported in November that has been the subject of limited, targeted attacks.
“The update provided in MS14-002 fully addresses the issue first described in Security Advisory 2914486,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own. This only impacts customers using Windows XP or Server 2003 as more recent Windows versions are not affected.”
Besides Office and Server Software, the other updates will be targeted at Windows and Microsoft Dynamics AX.
“2014 is getting off to a light start with Microsoft,” said Ross Barrett, senior manager of security engineering at Rapid7.
“It’s a pretty easy prioritization this month. Patch MS14-001, then whichever of 002 or 003 apply to you,” he said. “Patch the DoS [denial-of-service] in MS Dynamics when you are really bored sometime… no, just kidding. If you have Dynamics in your environment, don’t overlook it. It’s the type of system where downtime can have a material cost to your business.”
The updates will be released Jan. 14 at 10 a.m. PST.
“Looks like a pretty low key week,” said Ken Pickering, director of engineering at CORE Security. “There’s one remote code execution on Office, which may be an issue for Office users. Also, there’s a couple patched escalation of privilege patches for Windows 2003/XP, which is an old operating system and shouldn’t surprise anyone. There’s a DoS attack against Microsoft Dynamics AX, but it doesn’t look too severe. All and all, this week after the holidays is a quiet one in regards to patching.”