Software // Enterprise Applications
News
2/13/2007
05:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Patches 12 Vulnerabilities, 6 Of Them 'Critical'

In terms of urgency, one vendor says this patch release scores seven or eight on a scale of one to 10.

If you're an IT manager, Microsoft's latest monthly Patch Tuesday release will be good job security, but it could really mess up your love life.

The software company took care of 20 vulnerabilities by releasing 12 patches Tuesday -- six for what the company called "critical" bugs, six for "important" bugs. The patch clears up five zero-day vulnerabilities, according to Symantec.

The SANS Institute's Internet Storm Center is marking five of the fixes with a "patch now" warning, including a patch for Internet Explorer and two for Office. The Storm Center gives the "patch now" warning when analysts there think there's an immediate danger of exploitation.

"We've been joking that this is really going to mess up Valentine's plans," says Chris Andrew, VP of security technologies at PatchLink, a vulnerability management company.

Microsoft's patch release this month is a big one, and it's a significant one, Andrew says.

There are seven fixes for Microsoft Windows, three for Office, one for Internet Explorer, one for Microsoft Works, one for Microsoft's Malware Protection Engine, and one for Step-by-Step Interactive Training.

Microsoft Office vulnerabilities that were overlooked in the January patch update are being fixed this time around. Microsoft simply didn't have enough time between when the vulnerabilities came out and when it issued its January patches to create the fixes and have them tested, Andrew says.

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, said in an interview last week he was specifically looking for Microsoft to patch the outstanding Office bugs. "Last month, they didn't fix any outstanding Office bugs, and they're high-value targets. It's important to get them fixed."

Vincent Hwang, a group product manager with Symantec Security Response, says the Office vulnerabilities aren't the only ones that need quick updating.

"The Word ones in particular are associated with publicly known vulnerabilities, which gives attackers an easy way in," Hwang says. "Due to the pervasive nature and the known exploits, it's prudent to patch them as soon as you can."

Hwang says on a scale of one to 10, this patch release would rank a seven or eight in terms of urgency in getting them done.

Amol Sarwate, manager of the Vulnerability Lab at Qualys and an adviser at the SANS Institute, warns that it's urgent for IT managers to get the fix for the Malware Protection Engine. It's a piece of software Microsoft embedded in Windows Defender, an anti-spyware and pop-up blocker; Windows Antigen, an antivirus content-filtering system for Exchange and SharePoint Servers; and Windows Live OneCare, which monitors the firewall while also providing antivirus and anti-spyware.

"It certainly is a lot to deal with," Hwang says. "In the last six months, Microsoft has been putting out a large volume of patches. It's always an issue to manage, to decide what to patch first and to roll them through the organization. ... Hopefully, they have forgiving spouses and significant others."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.