The scorecard this month looks like a slaughter, but in this game the object is to get the lowest score possible, and as far as patches are concerned, Microsoft is the clear winner this month. January 2014 has been a great start to the year for Microsoft because “Patch Tuesday” saw no critical updates from them… Oracle, on the other hand, recently announced a banner crop of 34 critical updates – to Java alone!
Microsoft is pretty light this month
Let’s start by looking at what Microsoft did release this month. The January 2014 Security Bulletin includes four security bulletins. All four were rated as’ Important’ by Microsoft, since successful exploit of the worst of the lot would only enable remote code execution in the security context of the logged on user. While that sounds pretty bad (if you don’t follow recommended practices not to be regularly logged on as an administrative user), it can only exploit user privileges, not system, so it only rates as ‘important’. Patches for all four vulnerabilities were released by Microsoft on schedule and can be deployed now. Reboots will be required.
The updates from Microsoft can be downloaded from links in the table below:
[table id=2 /]
Oracle more than makes up for it
Oracle on the other hand released a Critical Patch Update (CPU)on Tuesday of this week that contains a whopping 144 fixes for various Oracle products. A total 34 of the 36 patches for Java alone should be considered critical, as they can exploit vulnerabilities in Java remotely and without authentication. Several of the other 144 fixes in this CPU also can be exploited remotely, but considering how widely deployed Java is across so many different operating systems, it’s those 34 that have me most concerned. The vulnerabilities in Java can even be exploited in sandboxed applications, so there really is no system out there that is using Java and can be considered safe.
Readers are urged to test and deploy the updates from Microsoft and Oracle as soon as possible. Again, the widespread adoption of Java across so many platforms makes this round of fixes from Oracle extremely important. Even though it seems Microsoft cut us all a break this month, there’s no rest for the weary since Oracle more than made up for it with Java.
The Oracle released updates can be downloaded from the links below:
[table id=3 /]
Administrators with patch management software like GFI LanGuard can easily deploy all of the Microsoft and Oracle patches now. Without patch management that can handle third party patches, admins are in for a long week ahead as they rush to test and patch both mission critical servers and workstations. Even Linux sysadmins are not immune, as the Java SE in both Linux and Solaris is vulnerable.
While many sysadmins may be tempted to skip updates from time to time, this is not the month to do so. The next CPU from Oracle will not be released until April, and there are no practical mitigations or workarounds for the Java vulnerabilities. You need to patch, and you need to do it now.