Microsoft Patches 12 Vulnerabilities, 6 Of Them 'Critical' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Microsoft Patches 12 Vulnerabilities, 6 Of Them 'Critical'

In terms of urgency, one vendor says this patch release scores seven or eight on a scale of one to 10.

If you're an IT manager, Microsoft's latest monthly Patch Tuesday release will be good job security, but it could really mess up your love life.

The software company took care of 20 vulnerabilities by releasing 12 patches Tuesday -- six for what the company called "critical" bugs, six for "important" bugs. The patch clears up five zero-day vulnerabilities, according to Symantec.

The SANS Institute's Internet Storm Center is marking five of the fixes with a "patch now" warning, including a patch for Internet Explorer and two for Office. The Storm Center gives the "patch now" warning when analysts there think there's an immediate danger of exploitation.

"We've been joking that this is really going to mess up Valentine's plans," says Chris Andrew, VP of security technologies at PatchLink, a vulnerability management company.

Microsoft's patch release this month is a big one, and it's a significant one, Andrew says.

There are seven fixes for Microsoft Windows, three for Office, one for Internet Explorer, one for Microsoft Works, one for Microsoft's Malware Protection Engine, and one for Step-by-Step Interactive Training.

Microsoft Office vulnerabilities that were overlooked in the January patch update are being fixed this time around. Microsoft simply didn't have enough time between when the vulnerabilities came out and when it issued its January patches to create the fixes and have them tested, Andrew says.

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, said in an interview last week he was specifically looking for Microsoft to patch the outstanding Office bugs. "Last month, they didn't fix any outstanding Office bugs, and they're high-value targets. It's important to get them fixed."

Vincent Hwang, a group product manager with Symantec Security Response, says the Office vulnerabilities aren't the only ones that need quick updating.

"The Word ones in particular are associated with publicly known vulnerabilities, which gives attackers an easy way in," Hwang says. "Due to the pervasive nature and the known exploits, it's prudent to patch them as soon as you can."

Hwang says on a scale of one to 10, this patch release would rank a seven or eight in terms of urgency in getting them done.

Amol Sarwate, manager of the Vulnerability Lab at Qualys and an adviser at the SANS Institute, warns that it's urgent for IT managers to get the fix for the Malware Protection Engine. It's a piece of software Microsoft embedded in Windows Defender, an anti-spyware and pop-up blocker; Windows Antigen, an antivirus content-filtering system for Exchange and SharePoint Servers; and Windows Live OneCare, which monitors the firewall while also providing antivirus and anti-spyware.

"It certainly is a lot to deal with," Hwang says. "In the last six months, Microsoft has been putting out a large volume of patches. It's always an issue to manage, to decide what to patch first and to roll them through the organization. ... Hopefully, they have forgiving spouses and significant others."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Data Science Salary Survey Reveals Market Shift
Jessica Davis, Senior Editor, Enterprise Apps,  6/27/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Flash Poll