Patch Priority Index for February 2012

Bulletin CVE CVSS
MS12-008 CVE-2011-5046 9.3
Oracle Java SE CPU - Feb 2012 CVE-2012-0500 10.0
MS12-010 CVE-2012-0010, CVE-2012-0155 9.3
MS12-013 CVE-2012-0150 9.3
APSB12-03 CVE-2012-0767 4.3
MS12-016 CVE-2012-0014, CVE-2012-0015 9.4
OS X Lion 10.7.3 / Security Update 2012-001 CVE-2011-3459, CVE-2011-3458 6.8
MS12-004 CVE-2012-0003 9.3
MS11-020 CVE-2011-0661 10.0
MS11-083 CVE-2011-2013 10.0

Tripwire's February Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, Apple, and Oracle to keep your year moving forward problem free.


This month sees a portion of Microsoft patches identified in the January PPI migrating to the bottom of the list, while newcomers take the top spots.

Notable in the PPI this month are the four critical bulletins that Microsoft released on Valentine's Day. MS12-008 and MS12-013 are patches that apply directly to Windows, while MS12-010 fixes numerous issues affecting Internet Explorer. MS12-016 patches a couple of vulnerabilities that have a CVSS score of 9.3.

Adobe earned their spot on the list this month with the recently released APSB12-03, which resolves a publicly exploited XSS flaw in Flash.

The two newcomers this month are Oracle and Apple. Thanks to a CVSS score of 10 for many of the CVEs included in their Java SE CPU update, including one that's seen code released in popular exploit frameworks, Oracle has garnered the #2 slot on this month's PPI.

Apple has just barely taken one of the new spots above previously released patches, with their latest update (which includes OS X 10.7.3) that bundles fixes for Apple software (QuickTime), core OS components, and open source packages like Apache httpd, Tomcat, and PHP.

About the Patch Priority Index

Tripwire's Patch Priority Index (PPI) draws from a number of unique sources to create a thoroughly researched list of the most critical vulnerabilities affecting your network. Every month, Tripwire VERT, a team of highly skilled security research engineers, considers a number of criteria to determine the most severe issues that can be patched in a given month to be a candidate for the list. For a vulnerability to be included on the PPI list it MUST have a patch available. VERT researches each vulnerability and ranks them using the following criteria:

  • Attack Vector
  • CVSS Score
  • Availability of Exploit Code
  • Popularity of the Service or Software
  • Customer Feedback
  • Worst Case Attack Scenarios
  • Attack Outcome

These attributes are assigned to the vulnerabilities and then peppered with extensive VERT experience to create the ideal list of 'Patch Now!' vulnerabilities.