SOFTWARE PATCH FACTORY Microsoft will issue its monthly Patch Tuesday security bulletin later today, addressing flaws in Windows, Microsoft Office and Dynamics AX.
We can't decide whether it's a good or bad thing, but there are just four bulletins in this month's patch, according to an advanced notification, significantly fewer than seen in January's seven bulletins in 2012 and 2013, with none of the patches rated as "critical". All of the patches are rated "important", however.
Bulletin one is a Remote Code Execution vulnerability patch for a recent version of Internet Explorer to ensure protection against web based attacks.
"Taking care of your [web] browser should still be among your highest priority items," said Qualys CTO Wolfgang Kandek. "Running the most updated browser version is the best way to deal with the web based attacks, which have increased their heft in 2013. They are now the main threat vector, and more companies have been infected through web-based attacks than through e-mail."
Bulletin two addresses a zero-day flaw in Windows XP and Windows Server 2003 that has seen limited attacks since the end of November of last year.
"The update provided in MS14-002 fully addresses the issue first described in Security Advisory 2914486," Microsoft's trustworthy security blogger Dustin Childs said in a blog post.
"We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own. This only impacts customers using Windows XP or [Windows] Server 2003 as more recent Windows versions are not affected."
Bulletin three patches an elevation of privilege bug in Windows, while bulletin four patches a distributed denial of service (DDoS) vulnerability in Microsoft's enterprise resource planning (ERP) system, Dynamcs AX.
While Microsoft's Patch Tuesday doesn't have any critical patches this month, that isn't the case for enterprise software vendor Oracle, which will also issue its first patch update of 2014 today, one of its biggest ever, that includes a slew of security patches, many of which address vulnerabilities in Java.
Oracle's Critical Patch Update will address 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 bugs that can be exploited remotely by an attacker without requiring authentication.
Microsoft will host a webcast to address customer questions about the January Patch Tuesday security bulletins on Wednesday at 7pm GMT. µ