The August 2013 Patch Tuesday advance notification includes a slightly higher volume of fixes than last month, but only 3 of 8 are critical, which is down from July’s 6 of 7 critical fixes. However, in a reversal from last month, the advisories are focused on Windows operating system patches, plus one Exchange issue.
Remember that a “critical” rating from Microsoft factors in its exploitability and if the vulnerability has been responsibly disclosed. Given this, we could be looking at a number of issues that are in the wild.
I would consider Bulletin #3 to be of the greatest concern, as it affects all supported versions of Microsoft’s Exchange Server and is rated as critical with remote code execution. If this is truly a remotely exploitable issue that does not require user interaction, then it’s a potentially wormable issue and definitely should be put at the top of the patching priority list.
Bulletin #1 is the monthly patch for Internet Explorer’s critical issues and should be the second prioritized patch, given its rating and broad exposure.
The third critical issue is Bulletin #2 and only applies to Windows XP and 2003. Therefore, for some organizations this patch may be of less concern, if they have already moved to newer Windows versions.
The other five advisories, two Elevation of Privilege, two Denial of Service (DoS), and one information disclosure are spread across Windows versions, with the only remarkable point being that one of the DoS vulnerabilities applies exclusively to Server 2012.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.