Patch Priority Index for February 2013

Bulletin CVE
Oracle Java CPU – Feb 2013 CVE-2013-0437, CVE-2013-1478, CVE-2013-0442  
APSB13-05 CVE-2013-1372, CVE-2013-0645, CVE-2013-1373  
MS13-010 CVE-2013-0030  
MS13-009 CVE-2013-0015  
APSB13-06 CVE-2013-0635, CVE-2013-0636  
MS13-020 CVE-2013-1313  
MS13-015 CVE-2013-0073  
MS13-011 CVE-2013-0077  
MS13-016 CVE-2013-1248, CVE-2013-1249, CVE-2013-1250  
MS13-017 CVE-2013-1278, CVE-2013-1279, CVE-2013-1280  

Tripwire’s February Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle.

Topping everybody’s list lately is Java, so we start the February PPI with the Feb 2013 Oracle Java Update. There’s a big debate right now around patching Java, deleting Java, or disabling it in the browser. The answer is likely to be an organizational choice based on business needs but, whichever route you decide to go, make sure you take one of them. Leaving unpatched Java on your system these days is simply adding fuel to the fire.

Adobe surprised everyone this month with back-to-back Flash patches, so the latest one APSB13-05 is found in this month’s PPI. The initial patch, released on the 7th, addressed a 0-day vulnerability that had been seen in the wild, while the second patch, released 5 days after the first, fixed an additional 16 CVEs. To add icing to the cake, Adobe also released a Shockwave update with the second Flash update.

Rounding out the group, we have the latest batch of Microsoft vulnerabilities. This month’s Microsoft patch priority should be given to MS13-010 and MS13-009, both of which affect Internet Explorer. Additionally, this month included Oracle Outside In patches for both Exchange and SharePoint, as well as a large number of win32k.sys vulnerabilities. For more information regarding these bulletins, please see the  February 12th VERT Alert.