Patch Priority Index for January 2012

- Jan 1, 2012 -

Bulletin CVE CVSS
MS12-004 CVE-2012-0003 9.3
MS11-100 CVE-2011-3414 7.8
MS11-020 CVE-2011-0661 10.0
MS11-083 CVE-2011-2013 10.0
ASF Bug 51714 CVE-2011-3192 7.8
APSB11-30 CVE-2011-2462, CVE-2011-4369 10.0
APSB12-01 CVE-2011-2462, CVE-2011-4369 10.0
Microsoft Security Advisory 2607712 N/A N/A
Tripwire Connect - VERT Blog - Turn That S#!T Off - SSHv1 CVE-2001-1473 7.5
MS11-087 CVE-2011-3402 9.3
Tripwire's January Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe to create a patch plan that starts the year off right.

Everything on this month's list contains vulnerabilities with scores spanning the top 25% of the CVSS range. We've included Microsoft's first critical vulnerability of 2012 and two Adobe advisories that span the same two CVEs, released for two different versions of their software, that ended 2011 and started 2012.

This month's PPI also includes MS11-087, the patch for the vulnerability utilized by Duqu, and MS11-020, the second oldest vulnerability in the list. MS11-020 describes an unauthenticated remote code execution issue in SMB.

The oldest item in the list this month is a 2001 CVE [ CVE-2001-1473]. This CVE describes SSHv1 man-in-the-middle attacks and it belongs on the list because a lot of modern hardware still supports SSHv1, even when disabled via the UI of the product. SSHv1 is inherently flawed, this is an issue enterprises should watch closely.

Remember DigiNotar? We've included Microsoft Security Advisory 2607712 which describes the DigiNotar breach and fraudulent certificates. Microsoft issued the referenced advisory but it describes a much bigger problem that affects multiple vendors. The most important thing here is to ensure any updates released by the vendors are installed in order to render the fraudulent certificates null and void.

About the Patch Priority Index

Tripwire's Patch Priority Index (PPI) draws from a number of unique sources to create a thoroughly researched list of the most critical vulnerabilities affecting your network. Every month, Tripwire VERT, a team of highly skilled security research engineers, considers a number of criteria to determine the most severe issues that can be patched in a given month to be a candidate for the list. For a vulnerability to be included on the PPI list it MUST have a patch available. VERT researches each vulnerability and ranks them using the following criteria:

  • Attack Vector
  • CVSS Score
  • Availability of Exploit Code
  • Popularity of the Service or Software
  • Customer Feedback
  • Worst Case Attack Scenarios
  • Attack Outcome

These attributes are assigned to the vulnerabilities and then peppered with extensive VERT experience to create the ideal list of 'Patch Now!' vulnerabilities.