Advance notice of August Microsoft patches – to be released on August 13

Microsoft released their advance notice of the patches that are scheduled to be released for August 2013. The information is available at –

There are a total of eight patches, three of which are identified as CRITICAL. The remaining five patches are designated as IMPORTANT.  Critical patches would allow remote code execution if successfully exploited.  Two of the patches designated as IMPORTANT would allow an elevation of privilege if exploited. The remaining three IMPORTANT patches would either allow a denial of service or information disclosure to occur.

Critical patches apply to the following Operating Systems and Applications: all versions of Internet Explorer when installed on Workstation Operating Systems (bulletin #1), Windows XP and Windows Server 2003 (bulletin #2) and Microsoft Exchange 2007SP3, 2010SP2 and SP3 and 2013 Cumulative update 1 and update 2 (bulletin #3).

As is normally the case, with the exception of bulletin #2 for Windows Server 2003, no patches for the month of August are assigned a critical designation when installed on Server operating systems.

No additional information is currently available.  It is currently unknown if the Internet Explorer vulnerabilities have been made public previously.  It is also currently unknown if reliable exploit code is expected within 30 days for the vulnerabilities scheduled to be addressed on August 13.  An update will be provided once the details have been made available.

As of this time, no other vendors have announced releases of patches for any third party products (such as Adobe Reader, Flash or Oracle Java).

Update August 13 1:30 p.m.

Microsoft has provided additional details on the patches that are being released on Tuesday, August 13. The eleven vulnerabilities identified in patch MS13-059 (also known as August Bulletin #1) for Internet Explorer have not been disclosed publically prior to August 13. However, as reliable exploit code is expected for these vulnerabilities within the next 30 days, the AgriLife ISO recommendation is that that the patches be applied to all Windows workstations as soon as possible.


The patch identified as MS13-060 –  (also known as August Bulletin #2), only applies to Windows XP and Windows Server 2003 systems. While it is considered a critical vulnerability, reliable exploit code is not expected to be identified within the next 30 days.  Further, the vulnerability only applies to Windows XP or Server 2003 systems that have the Bengali font installed. The AgriLife ISO recommendation is that the patch should be applied to the applicable workstations and servers within the Unit based on applicability.


The patch identified as MS13-061 – (also known as August Bulletin #3), applies to all currently supported Microsoft Exchange environments.  The patch addresses three vulnerabilities that exist in the Oracle Outside-In features that are included in Exchange 2007, 2010 and 2013. Two of the vulnerabilities are  applicable only to the Webready document viewing features of Outside In on Exchange 2007 and 2010. While it is not expected that reliable exploit code will be made public within the next 30 days, it is recommended that the Webready features of the Outlook Web Agent are disabled until the patch can be applied to Exchange 2007 and 2010 systems.  The AgriLife ISO recommendation is that the Oracle Outside-In Webready features be disabled until Microsoft patch MS13-061 can be applied.

The third patch only applies to the Data Loss Prevention features of Exchange 2013 (CVE-2013-3781).  As the AgriLife ISO is not aware of any AgriLife implementations of Exchange 2013, no risk is believed to exist and for that reason, no mitigation practices or patch deployment strategy is provided for vulnerability CVE-2013-3781.



Categories: Uncategorized