For today’s Patch Tuesday, Microsoft released seven bulletins (a surprise after only announcing five last week) and Adobe released one. There are four critical advisories, to me the most important of which is MS14-010 affecting Internet Explorer versions 6 through 10. This patch fixes 24 vulnerabilities, one of which has been publicly disclosed. Considering that 22 of these vulnerabilities can lead to remote code execution, this fix is priority one. MS14-007 is a flaw in the Direct2D graphics engine in Windows 7 through 8.1, including RT.
It is also related to Internet Explorer and could result in a malicious web page exploiting this flaw to achieve remote code execution. The last major one to look out for is MS14-011, flaws in the VBScript interpreter affecting Win XP through 8.1 (RT inclusive) and Internet Explorer versions 8 through 11. Server editions have mitigation implemented through blocking active scripting inside Internet Explorer, but expediting this fix is still recommended.
The fourth critical flaw is a remote code execution flaw in Forefront for Exchange, while the three important vulnerabilities are in XML, .NET and the Windows IPv6 stack. Adobe’s fix is for the Shockwave Player and resolves two critical remote code execution vulnerabilities. In addition to recommending that you remove Shockwave if you have it installed, there is another reason to avoid it. Adobe seems to think that its job includes trying to force you to install unwanted applications along with its plugins.
In my case it tried to “opt me in” to installing Chrome. It is a dodgy practice to bundle other applications by default and even worse practice when someone is downloading a security update. Shame on you Adobe.
For those who want to download Shockwave without the bundleware you can go to the Adobe alternates download page.
by Chester Wisniewski on February 11, 2014