Microsoft Advance Notification for January 2014

Microsoft is scheduled to release the next security update for consumers on January 14th with affected Windows platforms, Microsoft Office software, and Microsoft Dynamics AX. This is one of the lightest security releases seen in some time with only four bulletins each rated "Important". Last year was pretty rough for administrators since each Microsoft security update contained at least one "Critical" vulnerability. These required affected systems to be upgraded immediately. By comparison, next Tuesdays release should be easier to remediate compared to previous security updates.

This does not mean that administrators should take the January security lightly. There is one bulletin in Microsoft Server software and Office that gives an attacker remote code execution capabilities. Additionally, there are two bulletins discussing vulnerabilities that allow an attacker to escalate privileges. December's Microsoft Patch Tuesday blog post mentioned a Windows Kernel elevation of privilege vulnerability (CVE-2013-5065, aka Kernel NDProxy Vulnerability) that has remained unpatched since November. It is highly anticipated that the January release will provide a fix for this particular vulnerability. This would be one of the higher priority patches since exploits have been observed in the wild taking advantage of this vulnerability in conjunction with an Adobe Reader vulnerability.

For a complete run-down of the January Microsoft security bulletins, please come back on January 14th. We hope to see you back soon!

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.