Patch Priority Index™ for Microsoft
Every day IT security teams are faced with the daunting task of prioritizing the continuous stream of patches that address information security risks. When considering which patch to apply first, security professionals face a complex resource allocation equation with many variables, some of which are only roughly defined and all are constantly changing.
As a service to the information security community, nCircle has created the nCircle Patch Priority Index, a tool that is designed to identify the ten top priority patches for specific vendors, such as Microsoft and Adobe.
The nCircle Patch Priority Index is a monthly ranking of the highest risk vulnerabilities that should be patched immediately. The priority is based on nCircle's Risk Score, a composite metric that combines several factors to generate a detailed, accurate risk score. The nCircle Risk Score can be combined with system asset values to provide enterprises with a repeatable, consistent method that IT security teams across the globe can use to effectively prioritize the most critical vulnerabilities. The Patch Priority Index is a prioritized list of vulnerabilities to patch, and does not include zero-day vulnerabilities since there is no patch available.
Patch Priority Index for Microsoft – 12 months through April 21, 2010
Rank |
CVE | Vulnerability | Microsoft Exploitability Index |
CVSS Base Score |
nCircle Risk Score |
1 |
CVE-2008-0015 | MS09-032: Microsoft Windows 'MPEG2TuneRequest' ActiveX Control Remote Code Execution Vulnerability | 1 |
9.3 |
12778 |
2 |
CVE-2009-3023 | MS09-053: Microsoft IIS FTPd NLST Remote Buffer Overflow Vulnerability | 1 |
9 |
11587 |
3 |
CVE-2009-3103 | MS09-050: Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability | 1 |
7.8 |
11429 |
4 |
CVE-2009-2514 | MS09-065: Microsoft Windows Embedded OpenType Font Engine Remote Code Execution Vulnerability | 1 |
9.3 |
9872 |
5 |
CVE-2009-2510 | MS09-056: Microsoft Internet Explorer NULL Byte CA SSL Certificate Validation Security Bypass Vulnerability | 3 |
6.8 |
1763 |
6 |
CVE-2009-1537 | MS09-028: Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability | 2 |
9.3 |
788 |
7 |
CVE-2009-2505 | MS09-071: Microsoft Protected Extensible Authentication Protocol Memory Corruption Vulnerability | 2 |
10 |
569 |
8 |
CVE-2009-1122 | MS09-020: Microsoft IIS 5.0 WebDAV Authentication Bypass Vulnerability | 3 |
7.6 |
554 |
9 |
CVE-2009-1122 | MS09-020: Microsoft IIS 5.0 WebDAV Authentication Bypass Vulnerability (Remote) | 3 |
7.6 |
534 |
10 |
CVE-2009-1535 | MS09-020: Microsoft IIS Unicode Requests to WebDAV Authentication Bypass Vulnerability (Remote) | 1 |
7.6 |
534 |
The nCircle Risk Score
The nCircle Risk Score was developed over several years using data collected from hundreds of thousands of security audits and was designed to scale to very large networks. It provides a highly granular, composite metric to facilitate true prioritization based on the actual risk to the network. For more information on the nCircle risk score methodology, click here.
Other scoring systems are much less granular – usually “1 to 5” or “High-Medium-Low” -- and are not suited to networks with thousands of systems. Page after page of “High” rated vulnerabilities are of little value to administrators trying to determine which vulnerabilities present the most risk to their network and therefore should be fixed first.
The components of the nCircle Risk Score are:
- The "risk" factor, which represents the threat inherent in having the vulnerability on a specific system
- A measurement of the “skill” required to successfully carry out an attack which exploits the vulnerability
- The elapsed time since the vulnerability was publicly disclosed
In addition to the high granularity of the nCircle Risk Score, the third component, time, is a key differentiator from other scoring systems. Other systems simply do not include this factor, and therefore become less useful over time. Is the risk of the LSASS vulnerability the same today as it was when it was discovered in 2004, for instance? Of course not, but other scoring systems have no way of incorporating this concept. CVSS provides a “time” factor, but it is not widely used, and most commercial solutions do not support it. By incorporating the time component, the nCircle Risk Score delivers a consistent, composite metric that provides a solid foundation for prioritizing the most critical vulnerabilities on the enterprise network.