Software // Enterprise Applications
05:05 PM
Secure Your Enterprise's Digital Workspace with a Multilayered Approach
Aug 25, 2016
Client computing is increasingly providing a back door into the enterprise for the compromise and ...Read More>>

Microsoft Patches 12 Vulnerabilities, 6 Of Them 'Critical'

In terms of urgency, one vendor says this patch release scores seven or eight on a scale of one to 10.

If you're an IT manager, Microsoft's latest monthly Patch Tuesday release will be good job security, but it could really mess up your love life.

The software company took care of 20 vulnerabilities by releasing 12 patches Tuesday -- six for what the company called "critical" bugs, six for "important" bugs. The patch clears up five zero-day vulnerabilities, according to Symantec.

The SANS Institute's Internet Storm Center is marking five of the fixes with a "patch now" warning, including a patch for Internet Explorer and two for Office. The Storm Center gives the "patch now" warning when analysts there think there's an immediate danger of exploitation.

"We've been joking that this is really going to mess up Valentine's plans," says Chris Andrew, VP of security technologies at PatchLink, a vulnerability management company.

Microsoft's patch release this month is a big one, and it's a significant one, Andrew says.

There are seven fixes for Microsoft Windows, three for Office, one for Internet Explorer, one for Microsoft Works, one for Microsoft's Malware Protection Engine, and one for Step-by-Step Interactive Training.

Microsoft Office vulnerabilities that were overlooked in the January patch update are being fixed this time around. Microsoft simply didn't have enough time between when the vulnerabilities came out and when it issued its January patches to create the fixes and have them tested, Andrew says.

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, said in an interview last week he was specifically looking for Microsoft to patch the outstanding Office bugs. "Last month, they didn't fix any outstanding Office bugs, and they're high-value targets. It's important to get them fixed."

Vincent Hwang, a group product manager with Symantec Security Response, says the Office vulnerabilities aren't the only ones that need quick updating.

"The Word ones in particular are associated with publicly known vulnerabilities, which gives attackers an easy way in," Hwang says. "Due to the pervasive nature and the known exploits, it's prudent to patch them as soon as you can."

Hwang says on a scale of one to 10, this patch release would rank a seven or eight in terms of urgency in getting them done.

Amol Sarwate, manager of the Vulnerability Lab at Qualys and an adviser at the SANS Institute, warns that it's urgent for IT managers to get the fix for the Malware Protection Engine. It's a piece of software Microsoft embedded in Windows Defender, an anti-spyware and pop-up blocker; Windows Antigen, an antivirus content-filtering system for Exchange and SharePoint Servers; and Windows Live OneCare, which monitors the firewall while also providing antivirus and anti-spyware.

"It certainly is a lot to deal with," Hwang says. "In the last six months, Microsoft has been putting out a large volume of patches. It's always an issue to manage, to decide what to patch first and to roll them through the organization. ... Hopefully, they have forgiving spouses and significant others."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 14, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.