Patch Priority Index for August 2013

Bulletin CVE
MS13-059 CVE-2013-3184, CVE-2013-3187, CVE-2013-3188  
MS13-060 CVE-2013-3181  
MS13-061 CVE-2013-2393, CVE-2013-3776, CVE-2013-3781  
MS13-063 CVE-2013-2556, CVE-2013-3196, CVE-2013-3197  
MS13-062 CVE-2013-3175  
MS13-066 CVE-2013-3185  
MS13-065 CVE-2013-3183  
MS13-064 CVE-2013-3182  
APSB13-17 CVE-2013-3344, CVE-2013-3345, CVE-2013-3347  
Oracle Java June CPU CVE-2013-2470, CVE-2013-2471, CVE-2013-2472<  


Tripwire’s August Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe and Oracle.

The only new vulnerabilities to make this list this month are from Microsoft. Adobe and Oracle get honourable mentions at the end of the list as a reminder of the most recent Flash and Java patches. If you still haven’t installed those, they should be considered a top priority.

This month was slow from a patch standpoint as we didn’t even see the usual Adobe patches, but Microsoft decided to keep everyone on their toes. In addition to the usual IE and Kernel memory corruption vulnerabilities, we saw fixes for a couple of ASLR bypasses that were first published at CanSecWest and Pwn2Own.

Perhaps the most interesting news of the month is the post patch news that people may have missed. Microsoft pulled the patches from two advisories after their release. They removed downloads for patches for MS13-061 and MS13-066 to “address issues with the updates”. They then restored the download for some of the MS13-066 patches and later released updates for the other MS13-066 patches. Note that they also merged patches, eliminating unnecessary downloads. This is important for anyone who may have to reinstall the patch. At this time, downloads for Exchange Server 2013 for MS13-061 still haven’t been restored.