Adobe and Oracle join the patching fray this week

Every few months, when the planets align just right, three of the most vulnerable vendors in the industry simultaneously release patches. And this is one of those magical weeks.

Let’s start by taking a look at the vendor that started the patch Tuesday madness, Microsoft. Microsoft released nine bulletins: three rated critical, five rated important, and one moderate.

The first critical bulletin fixes issues with, wait for it… Internet Explorer. All versions of Internet Explorer are being patched yet.  Nothing new here, at this point if IE isn’t part of the first critical bulletin, I would be concerned for the safety of the IE security team.

The second critical bulletin addresses .Net and fixes the ability to perform a remote code execution. Also included in this month’s patches are SharePoint ServerandOffice Web Apps Server. They are being patched for the fourth time since the start of 2014, this time due to code execution vulnerability rated as important.

Oracle’s Critical Patch Update contains 154 security fixes on a multitude of products, including 31 fixes for Oracle Database, 5 fixes for PeopleSoft, and 25 for JavaSE to name a few.  The Java patches remediate the most critical vulnerabilities with 22 being remotely executable, and 9 having a CVSS score of 7 or higher.  Oracle also previously released a Security Alert to repair the Bash “Shellshock” vulnerability on Oracle products September 26.

Adobe released a security update for two of their products: Flash Player, and ColdFusion.  The Flash Player fix addresses three vulnerabilities (CVE-2014-0558, CVE-2014-0564, CVE-2014-0569) on Windows, Mac, and Linux Operating Systems. These vulnerabilities could potentially allow an attacker to take control of the effected system.  The ColdFusion fix also addresses three vulnerabilities (CVE-2014-0570, CVE-2014-0571, CVE-2014-0572) that could be exploited by an unauthenticated local user to bypass IP address access control restrictions applied to the ColdFusion Administrator.

To stay up to date on these or any of the latest vendor vulnerabilities visit the Skybox Vulnerability Center.