Patch Tuesday January 2014 - Microsoft, Adobe and Oracle
by Chester Wisniewski
As expected Microsoft delivered four patches on patch Tuesday covering Windows XP, 2003, 7, 2008 R2, Word and Dynamics. All four patches are rated important, the first time in memory that none of the fixes were critical.
The Word fix applies to all Windows versions and could result in remote code execution. (What does this mean?) The operating system fixes will require a reboot.
Adobe also released fixes today for Acrobat and Reader X and XI. This first update of 2014 for Adobe fixes three remote code execution vulnerabilities and should be considered a critical update.
You can get the updates from the integrated updater tool or from http://get.adobe.com/reader.
The big one today is Oracle's quarterly update which it calls Critical Patch Update January 2014. As Duck commented, it is a bundle of fixes covering 144 different vulnerabilities.
Many Oracle products are covered, I am only going to highlight the most common ones here. You can view the complete list on Oracle's security page.
Java has been updated, as expected, fixing 36 vulnerabilities, 34 of which are remotely exploitable without authentication.
If you don't need Java, please turn if off in your browser. If you aren't sure, turn if off in your browser... You can always reinstall. If you must have it installed, be sure to apply this update immediately.
Oracle also patched 18 vulnerabilities in MySQL, three remotely exploitable and 9 vulnerabilities in VirtualBox, four of which are remotely exploitable.
(Note: only older supported branches of VirtualBox get updates, namely versions 3.2, 4.0, 4.1 and 4.2. If you are already on the most recent branch, namely 4.3, you should already have 4.3.6, which remains the latest version.)
As always, we advise you to update as soon as you are able.