We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft Fixes Critical Flaws with Patch Tuesday Updates

Microsoft released seven security bulletins for Patch Tuesday, but two in particular should get priority attention.

Microsoft released a total of seven new security bulletins for May's Patch Tuesday. Four are rated as Important, and the other three are Critical, but two in particular are getting the most attention: MS12-034 and MS12-029.

MS12-034 fixes 10 separate vulnerabilities spanning a range of Microsoft products including Windows, Office, .NET Framework, and Silverlight. It's unusual for Microsoft to lump so many products together in a single security bulletin or patch.

Wolfgang Kandek, CTO of Qualys, provides some background to explain the unusual patch in a blog post. MS12-034 is the result of an effort by Microsoft to seek out other products using the same flawed code exploited by Duqu. This patch knocks out all of the other instances, and addresses a variety of other security issues in the affected products at the same time.

Andrew Storms, director of security operations for nCircle, isn't impressed by the bundled patch. Storms says, "The core of this bug fix is related to the vulnerabilities leveraged by Duqu--a problem Microsoft fixed last year--so this bulletin also replaces a half dozen previously released bulletins. This is going to give the patch management folks some serious heartburn."

Tyler Reguly, technical manager security research and development at nCircle agrees. "MS12-034 is sheer craziness--it's going to be the most interesting and most painful part of the day for most IT security teams. There are multiple Office and .NET patches due to the overlap of products in this bulletin.

Storms recommends IT admins not spend too much time scratching their heads analyzing or trying to understand MS12-034. "Just install the patch as soon as you can, and then move on."

As urgent as MS12-034 is, MS12-029 is also crucial. Kandek explains, "The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit."

Of course, the rest of the security bulletins and patches should be addressed as well. The remaining five security bulletins fix flaws related to elevation of privileges and remote code execution, and should not be ignored or taken lightly.

Prioritize implementing the updates in MS12-034 and MS12-029, but be sure to review the other security bulletins and apply the patches as soon as possible.

IDG UK Sites

LG G4 Note UK release date and specification rumours: Samsung Galaxy Note 5 killer could be the LG 3......

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 off Retina iMac with new model