Patch Priority Index for April 2012

Bulletin CVE CVSS
Oracle February CPU for Java CVE-2012-0507, CVE-2012-0508 10.0
Java for OS X 2012-003 CVE-2012-0507 7.5
MS12-020 CVE-2012-0002, CVE-2012-0152 9.3
MS12-027 CVE-2012-0158 9.3
APSB12-07 CVE-2012-0772, CVE-2012-0773 10.0
APSB12-08 CVE-2012-0774, CVE-2012-0775 10.0
Oracle April CPU CVE-2012-0519, CVE-2012-0510 10.0
MS12-023 CVE-2012-0168, CVE-2012-1069 9.3
MS12-008 CVE-2011-5046 9.3
MS12-013 CVE-2012-0010, CVE-2012-0155 9.3

Tripwire's April Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, Apple, and Oracle.

This month sees a portion of Microsoft patches identified in the February PPI migrating to the bottom of the list, while newcomers take the top spots.

The most notable inclusion this month Is CVE-2012-0507, which took the top two spots, first for the Oracle CPU for Java (also included in February) and also for the OS X Java Update. This CVE was used by the Flashback malware affecting OS X and required an update from Apple to remedy the situation. While Java for OS X 2012-002 actually resolved the issue, we included 2012-003 instead since it also includes the Flashback removal tool.

Also included this month are MS12-020, which resolves a remote code execution vulnerability affecting Microsoft Remote Desktop and MS12-027, a vulnerability in the Windows Common Controls, which was reportedly exploited in limited, targeted attacks.

The list is rounded out with a pair of new updates from Adobe for Flash and Reader, the massive 88 vulnerability Oracle April Critical Patch Update, the latest IE cumulative update, and a pair of Microsoft bulletins carried over from previous months.

About the Patch Priority Index

Tripwire's Patch Priority Index (PPI) draws from a number of unique sources to create a thoroughly researched list of the most critical vulnerabilities affecting your network. Every month, Tripwire VERT, a team of highly skilled security research engineers, considers a number of criteria to determine the most severe issues that can be patched in a given month to be a candidate for the list. For a vulnerability to be included on the PPI list it MUST have a patch available. VERT researches each vulnerability and ranks them using the following criteria:

  • Attack Vector
  • CVSS Score
  • Availability of Exploit Code
  • Popularity of the Service or Software
  • Customer Feedback
  • Worst Case Attack Scenarios
  • Attack Outcome

These attributes are assigned to the vulnerabilities and then peppered with extensive VERT experience to create the ideal list of 'Patch Now!' vulnerabilities.