Patch Priority Index for February 2013
|Oracle Java CPU – Feb 2013||CVE-2013-0437, CVE-2013-1478, CVE-2013-0442|
|APSB13-05||CVE-2013-1372, CVE-2013-0645, CVE-2013-1373|
|MS13-016||CVE-2013-1248, CVE-2013-1249, CVE-2013-1250|
|MS13-017||CVE-2013-1278, CVE-2013-1279, CVE-2013-1280|
Tripwire’s February Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle.
Topping everybody’s list lately is Java, so we start the February PPI with the Feb 2013 Oracle Java Update. There’s a big debate right now around patching Java, deleting Java, or disabling it in the browser. The answer is likely to be an organizational choice based on business needs but, whichever route you decide to go, make sure you take one of them. Leaving unpatched Java on your system these days is simply adding fuel to the fire.
Adobe surprised everyone this month with back-to-back Flash patches, so the latest one APSB13-05 is found in this month’s PPI. The initial patch, released on the 7th, addressed a 0-day vulnerability that had been seen in the wild, while the second patch, released 5 days after the first, fixed an additional 16 CVEs. To add icing to the cake, Adobe also released a Shockwave update with the second Flash update.
Rounding out the group, we have the latest batch of Microsoft vulnerabilities. This month’s Microsoft patch priority should be given to MS13-010 and MS13-009, both of which affect Internet Explorer. Additionally, this month included Oracle Outside In patches for both Exchange and SharePoint, as well as a large number of win32k.sys vulnerabilities. For more information regarding these bulletins, please see the February 12th VERT Alert.