April 2015 Patch Tuesday
Patch Tuesday excitement is building. There is at least one known Flash vulnerability being exploited in the wild and one Microsoft vulnerability that has been publicly disclosed this month.
Microsoft has released 11 security bulletins this month, four of which are Critical, bringing the total to 42 security bulletins so far in 2015. This is more than twice the number of security updates released than last year at the same time.
From a vulnerability standpoint in April 2014 the CVE count for vulnerabilities resolved was at 72. We passed that count in March, with 76 vulnerabilities resolved. When this month’s 26 CVEs are included, we have a much higher total of 102 CVEs resolved to date.
The product and service impact for Microsoft this month includes the Windows OS, IE, Office, SharePoint, ADFS, .Net and Hyper-V. Two OS, the IE update, and Office update are rated as Critical.
Flash Player is making its triumphant return to Patch Tuesday. Adobe is aware that exploits of CVE-2015-3043 exist in the wild. Between January and February’s Patch Tuesday there were three zero days resolved by two releases in the span of about two weeks. In March the release came on the same week; however, they came at the end of the week. APSB15-06 resolves 22 vulnerabilities and is rated as a Priority 1 update. This should make your list of priority updates to roll out this month.
With a Flash Player update you can always expect an Advisory for Internet Explorer and a Google Chrome update. Google Chrome has a large release covering 45 vulnerabilities including many High priority updates. That with the Priority 1 Flash plug-in make this release a high priority update when it arrives.
Oracle’s quarterly CPU is also occurring this month and happens to fall on Patch Tuesday. Oracle Java is resolving 15 vulnerabilities — all of which are remotely exploitable without authentication. The highest CVSS Base Score of these 15 vulnerabilities is a 10.0, which is the highest possible score. It goes without saying that Java should be a priority update this month. Three other Oracle products are resolving CVE’s with a 10.0 CVSS Base Score. So if you have Oracle Fusion Middleware, Oracle Sun Systems Products Suite or MySQL, they are all including vulnerabilities that are remotely exploitable without authentication and should be a priority to investigate for update this patch cycle.
Join us tomorrow for the Shavlik April 2015 Patch Tuesday webinar as we discuss the releases for this month, priorities, known issues, etc.