• United States



Slow Patch Tuesday for Microsoft, but record-breaking update for Oracle

Jan 14, 20143 mins
Application SecurityCybercrimeNetwork Security

Microsoft tried to give IT admins a break this month, but Adobe and Oracle filled the void with critical updates of their own.

It’s Patch Tuesday. Microsoft only produced four security bulletins this month, and none of them are even rated as Critical. Yawn.

There are some crucial updates today—they’re just not from Microsoft. Adobe and Oracle joined the patch release party, and both have patches you should probably install sooner rather than later.

Tyler Reguly, security research and development manager for Tripwire, sums up Microsoft’s Patch Tuesday. “Waiting for Microsoft’s patch drop is a bit like being a kid on Christmas Eve waiting for that new bike you asked for. In today’s release, instead of the new bike, I find myself looking at an itchy homemade sweater from Grandma and socks instead of a bike.”

In and of themselves, none of the four Microsoft security bulletins stands out as urgent, but Trustwave researchers point out that a combination of successful exploits could be greater than the sum of its parts. “On their own these vulnerabilities might not be critical, but combined they can be much more serious. If an attacker used a malicious Office document to execute code that takes advantage of the privilege elevation vulnerability, then a phishing email to an unsuspecting user would be all that’s necessary.”

The real security news today comes from Adobe and Oracle. Adobe has two Critical updates—one for Adobe Acrobat and Reader, and one for Adobe Flash. Successful exploit of either will allow remote code execution and effectively give the attacker complete control of the affected system, so these patches should be applied quickly. Users of Chrome, and Internet Explorer 10 and 11 don’t need to apply the patch for Flash because the Flash vulnerability will be updated automatically as a function of the next browser update.

Oracle is the elephant in the room. With 144 separate vulnerabilities addressed in the latest Critical Patch Update (CPU), Oracle has set a new record. Wolfgang Kandek, CTO of Qualys, explains that Java v7 update 51 alone has 34 different remotely exploitable vulnerabilities.

Kandek stresses, “Java was one of the most attacked softwares in 2013 and it will continue to be so due to its sluggish update record. It was in the news recently when attackers installed malware through advertisements on Yahoo’s homepage by abusing a Java vulnerability on the affected users’ machines.”

So, Microsoft may have given IT admins a break, but Adobe and Oracle are here to keep things interesting. Make sure you address all of the patches and updates that impact your environment as quickly as possible.


Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.