Skip navigation

On Thursday (Feb 6) Microsoft announced the forthcoming content for Patch Tuesday – Feb 10, 2014.

 

Number of Releases: 7

Critical Security Updates: 4 addressing vulnerabilities in Windows XP/Vista/7/8/8.1, Windows Server 2012/2012R2, Windows RT/RT8.1, Internet Explorer (all versions), and Forefront Protection 2010 for Exchange Server.

Important Security Updates: 3 addressing vulnerabilities in Windows XP/Vista/78/8.1, Windows Server 2003/2008/2008R2/2012/2012R2, Iand Internet Explorer (all versions).


You can have Microsoft's security bulletins sent directly to you:

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.


Microsoft also hosts a webcast where they discuss the releases, typically the Wednesday after Patch Tuesday:

Microsoft will host a webcast to address customer questions on the security bulletins on Feb 12, 2014, at 11:00 AM Pacific Time (US & Canada).

Register now for the February Security Bulletin Webcast.

You can also follow the MSRC team at @MSFTSecResponse.


Updates are typically released by Microsoft at 10am PDT (5pm UTC).

Configuring WSUS servers to synchronize relative to that time can be helpful in expediting availability of these security updates.

Yesterday (Tue Feb 4), Adobe published a Security Bulletin and released an emergency patch for Flash v12 (for Windows and MacOS) and Flash v11 (for Linux) to address the vulnerability documented in CVE-2014-0497.

 

Concurrent with that, Microsoft has released patches for IE10 and IE11 (which have Flash embedded) as KB2929825. Make special note that this update is not cumulative, and it does require that the January update, KB2916266 is installed first.

 

The vulnerability is related to an integer underflow in Adobe Flash Player that allows remote attackers to execute arbitrary code via unspecified vectors. The vulnerabiity is being actively exploited.

 

How bad is it.... I'm still trying to track down authoritative information on that, but considering that next Tuesday, Feb 11, would have been the regular release of updates for Adobe products, it seems that Adobe felt this warranted being pushed a week earlier. If you're interested in an in-depth analysis, this is the original article reporting the discovery of the active zero-day exploit by Kaspersky.