Microsoft Patches Word Flaw; Oracle Repairs Java Errors

Microsoft, Oracle and Adobe Systems issued security updates this week, giving system administrators plenty of work to do as part of the first round of patches issued in 2014.

Patching experts at service providers told CRN that Oracle's January 2014 Critical Patch Update, which addresses 144 vulnerabilities, deserves the most attention this month. Oracle issued critical Java fixes, repairing 34 flaws that can be remotely exploited by attackers. Every business needs to address Java at the endpoint because it is one of the most targeted software platforms, said Nash Pherson, a senior systems consultant at NowMicro, a St. Paul, Minn.-based service provider.

"Oracle is very clear that you should only have the most current update of Java running on your systems," Pherson said. "Having multiple versions running on your client's endpoint is setting you up for malware infections."

[Related: Breach Stats Prompt Need For Vulnerability, Configuration Assessment: Report ]

Recent attacks targeting Yahoo users in Europe exploited a Java vulnerability on users' machines, said Wolfgang Kandek, CTO of Qualys, Redwood Shores, Calif. The attacks were served up via a third-party advertising service used by the search engine giant to display ads on its home page.

"Java was one of the most attacked softwares in 2013 and it will continue to be so due to its sluggish update record," Kandek said.

Oracle also repaired flaws in the MySQL database management system, its virtualization software and the Oracle Solaris server software. Service providers should talk with their clients about patch management practices as a best practice to help reduce the risk of malware infections, Pherson said.

Microsoft, meanwhile, issued four bulletins in its January 2014 Patch Tuesday, repairing a flaw in Microsoft Word and a zero-day vulnerability being actively targeted by attackers against users of Windows XP and Windows Server 2003. NowMicro's Pherson called this month's round of Microsoft updates a light one, with all the security bulletins rated as important. NowMicro gave some of the coding errors a top rating on the exploitability index, indicating that attackers would be able to create malware targeting the flaw very quickly, Pherson said.

Microsoft also repaired a flaw in the Windows kernel that can be exploited to elevate privileges and errors in the Windows kernel mode-drivers. Both bulletins indicate that in order to exploit the errors, an attacker would need to have valid logon credentials and be able to log on locally to exploit the vulnerabilities.

Microsoft also addressed a flaw in Microsoft Dynamics AX enterprise resource planning software for businesses. An attacker could use the coding error to cause the system to freeze or crash, Microsoft said.

Finally, Adobe issued two critical updates addressing three coding errors in its Acrobat and Reader programs that can be targeted using a malicious PDF file. The company also repaired vulnerabilities in Adobe Flash, often targeted by attackers in drive-by attacks that infect visitors to hijacked websites.

PUBLISHED JAN. 15, 2013