Patch Priority Index for April 2012
|Oracle February CPU for Java||CVE-2012-0507, CVE-2012-0508||10.0|
|Java for OS X 2012-003||CVE-2012-0507||7.5|
|Oracle April CPU||CVE-2012-0519, CVE-2012-0510||10.0|
Tripwire's April Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, Apple, and Oracle.
This month sees a portion of Microsoft patches identified in the February PPI migrating to the bottom of the list, while newcomers take the top spots.
The most notable inclusion this month Is CVE-2012-0507, which took the top two spots, first for the Oracle CPU for Java (also included in February) and also for the OS X Java Update. This CVE was used by the Flashback malware affecting OS X and required an update from Apple to remedy the situation. While Java for OS X 2012-002 actually resolved the issue, we included 2012-003 instead since it also includes the Flashback removal tool.
Also included this month are MS12-020, which resolves a remote code execution vulnerability affecting Microsoft Remote Desktop and MS12-027, a vulnerability in the Windows Common Controls, which was reportedly exploited in limited, targeted attacks.
The list is rounded out with a pair of new updates from Adobe for Flash and Reader, the massive 88 vulnerability Oracle April Critical Patch Update, the latest IE cumulative update, and a pair of Microsoft bulletins carried over from previous months.
About the Patch Priority Index
Tripwire's Patch Priority Index (PPI) draws from a number of unique sources to create a thoroughly researched list of the most critical vulnerabilities affecting your network. Every month, Tripwire VERT, a team of highly skilled security research engineers, considers a number of criteria to determine the most severe issues that can be patched in a given month to be a candidate for the list. For a vulnerability to be included on the PPI list it MUST have a patch available. VERT researches each vulnerability and ranks them using the following criteria:
- Attack Vector
- CVSS Score
- Availability of Exploit Code
- Popularity of the Service or Software
- Customer Feedback
- Worst Case Attack Scenarios
- Attack Outcome
These attributes are assigned to the vulnerabilities and then peppered with extensive VERT experience to create the ideal list of 'Patch Now!' vulnerabilities.