Microsoft is giving IT admins a break this month. The average number of security bulletins per month in 2013 was just under nine, and Microsoft finished the year with 11 security bulletins in December. According to the advance notification from Microsoft, though, there are only four security bulletins scheduled for the first Patch Tuesday of 2014 and none of them are even rated as Critical.
For the first time in many months there isn’t even a cumulative update for Internet Explorer among the bunch. MS14-001 addresses a remote code execution vulnerability in SharePoint and Microsoft Word, MS14-003 deals with an elevation of privilege bug affecting Windows 7 and Windows Server 2008 R@, and MS14-004 fixes a denial-of-service issue in Microsoft Dynamics.
That leaves us with MS14-002. This security bulletin is the most crucial of the bunch because it addresses an elevation of privilege vulnerability in Windows XP and Windows Server 2003 that has already seen some exploitation in the wild. Microsoft had previously issued Security Advisory 2914486 to alert users to the threat, and now there is finally a patch to resolve the issue.
Qualys CTO Wolfgang Kandek shared his thoughts on the advance notification in a blog post. “We expect Bulletin #2 to address the 0-day vulnerability CVE-2013-5065 in Windows XP and 2003, which has seen limited attacks since the end of November of last year. These attacks have been coming in through PDF documents using an already fixed vulnerability of Adobe Reader and users of updated versions, i.e post APSB13-15 from May of 2013 should be immune to this attack vector.”
Russ Ernst, director of product management for Lumension, explains, “It’s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April. If you’re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.
The fact that all four security bulletins are only ranked as Important shouldn’t deter you from deploying the patches as soon as possible. Obviously, if you don’t have Microsoft Dynamics, or you don’t use the affected operating systems you need not be concerned, but for all affected operating systems and applications that are in your environment it is always important to apply patches in a timely manner.