Microsoft plans to release four bulletins as part of the January 14 Patch Tuesday security update.
One bulletin is related "Critical" and three rated "Important".
Affected Products:
All supported Windows operating systems
All versions of Office
Office Web Apps 2010 and 2013
SharePoint Server 2010 and 2013
Dynamics AX 4.0, 2009, 2012, and 2012 R2
Bulletin #1, rated Important, affects Microsoft Office Compatibility Pack Service Pack 3, Microsoft Word Viewer, Word Automation Services in SharePoint Server 2013 and 2010 – Service Packs 1 and 2 – as well as Microsoft Office Web Apps 2010 – Service Packs 1 and 2 – and Office Web Apps Server 2013.
Bulletin #2, rated Critical, address the 0-day vulnerability CVE-2013-5065 in Windows XP and 2003, which has seen limited attacks since the end of November of last year. These attacks have been coming in through PDF documents using an already fixed vulnerability of Adobe Reader and users of updated versions, i.e post APSB13-15 from May of 2013 should be immune to this attack vector.
Bulletin #3, rated Important, covers an elevation of privilege vulnerability in Windows 7 and Windows Server 2008 R2.
Bulletin #4, rated Important, addresses a denial of service vulnerability in Microsoft Dynamics AX 4.0 Service Pack 2, 2009 Service Pack 1, 2012, and 2012 R2.
The biggest surprise, however, is that there is no Internet Explorer patch this month. "This must be an indication that the IE team was finally allowed to take some time off over the holidays in light of the grueling 2013 they put in," comments Ross Brewer, senior manager of security engineering at Rapid7. But he doesn't think it's because IE has become suddenly secure: "Expect them back in February," he adds.
According to Sean Michael Kerner at eWeek, "The fact that Microsoft has not identified an IE fix in its advance notification for the January Patch Tuesday update also does not absolutely mean that Microsoft won't include a fix that will impact IE either. It is possible that the security bulletins labeled as affecting Microsoft Windows will, in fact, have an impact that relates to IE. In the modern world, the browser is the key window to the connected Web that is the Internet, and IE is on the front line in the battle against attackers."
Now, the fact that I don't know about any IE zero day flaws, doesn't mean that some do in fact likely exist. The fact that Microsoft has not identified an IE fix in its advance notification for the January Patch Tuesday update also does not absolutely mean that Microsoft won't include a fix that will impact IE either.
It is possible that the security bulletins labeled as affecting Microsoft Windows will, in fact, have an impact that relates to IE.
In the modern world, the browser is the key window to the connected Web that is the Internet, and IE is on the front line in the battle against attackers.
- See more at: http://www.eweek.com/blogs/security-watch/microsofts-first-patch-tuesday...
Now, the fact that I don't know about any IE zero day flaws, doesn't mean that some do in fact likely exist. The fact that Microsoft has not identified an IE fix in its advance notification for the January Patch Tuesday update also does not absolutely mean that Microsoft won't include a fix that will impact IE either.
It is possible that the security bulletins labeled as affecting Microsoft Windows will, in fact, have an impact that relates to IE.
In the modern world, the browser is the key window to the connected Web that is the Internet, and IE is on the front line in the battle against attackers.
- See more at: http://www.eweek.com/blogs/security-watch/microsofts-first-patch-tuesday...
Windows XP
Bulletin #2 is a must for Windows XP users. “If you’re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.” as "Microsoft will end support for XP in April” said Russ Ernst, a director of product management at Lumension.
Additional Updates
In addition to Microsoft patches, expect a fresh batch of Adobe patches (reader and flash).
Oracle (Java) will also release the first of its quarterly Critical Patch Updates for 2014.
Wolfgang Kandek, CTO of Qualys, said: “These quarterly releases typically address over 100 vulnerabilities in their large software line. Analysing the applicability of these flaws to one’s software infrastructure and addressing them are a major concern for any organisation that uses Oracle products.”
Mac and Linux users should apply updates from Oracle and Adobe. However, none of the Microsoft updates apply to your operating system.
Bottom Line: Restart your Microsoft Windows Computers and Servers Wednesday Morning!