Microsoft Patches 12 Vulnerabilities, Six 'Critical'

The software company took care of 20 vulnerabilities by releasing 12 patches Tuesday -- six for what the company called "critical" bugs, six for "important" bugs. The patch clears up five zero-day vulnerabilities, according to Symantec.

The SANS Institute's Internet Storm Center is marking five of the fixes with a "patch now" warning, including a patch for Internet Explorer and two for Office. The Storm Center gives the "patch now" warning when analysts there think there's an immediate danger of exploitation.

"We've been joking that this is really going to mess up Valentine's plans," says Chris Andrew, VP of security technologies at PatchLink, a vulnerability management company.

Microsoft's patch release this month is a big one, and it's a significant one, Andrew says.

There are seven fixes for Microsoft Windows, three for Office, one for Internet Explorer, one for Microsoft Works, one for Microsoft's Malware Protection Engine, and one for Step-by-Step Interactive Training.

Microsoft Office vulnerabilities that were overlooked in the January patch update are being fixed this time around. Microsoft simply didn't have enough time between when the vulnerabilities came out and when it issued its January patches to create the fixes and have them tested, Andrew says.

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, said in an interview last week he was specifically looking for Microsoft to patch the outstanding Office bugs. "Last month, they didn't fix any outstanding Office bugs, and they're high-value targets. It's important to get them fixed."

Vincent Hwang, a group product manager with Symantec Security Response, says the Office vulnerabilities aren't the only ones that need quick updating.

"The Word ones in particular are associated with publicly known vulnerabilities, which gives attackers an easy way in," Hwang says. "Due to the pervasive nature and the known exploits, it's prudent to patch them as soon as you can."

Hwang says on a scale of one to 10, this patch release would rank a seven or eight in terms of urgency in getting them done.

Amol Sarwate, manager of the Vulnerability Lab at Qualys and an adviser at the SANS Institute, warns that it's urgent for IT managers to get the fix for the Malware Protection Engine. It's a piece of software Microsoft embedded in Windows Defender, an anti-spyware and pop-up blocker; Windows Antigen, an antivirus content-filtering system for Exchange and SharePoint Servers; and Windows Live OneCare, which monitors the firewall while also providing antivirus and anti-spyware.

"It certainly is a lot to deal with," Hwang says. "In the last six months, Microsoft has been putting out a large volume of patches. It's always an issue to manage, to decide what to patch first and to roll them through the organization. ... Hopefully, they have forgiving spouses and significant others."