Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Patch Tuesday Roundup - September 2011

Sensitive Data is More than "Important"

All but one of this month's Microsoft Patch Tuesday updates relates to Microsoft Office applications and/or Windows components that handle documents (such as RTF, TXT, and Word Document files as described in MS11-071). The three Office-related bulletins are listed as "important" on the Microsoft site, despite the fact that they allow for remote code execution. Another bulletin, MS11-074, announces issues with Microsoft's SharePoint, a server application for sharing information and managing documents.

While I don't recommend completely ignoring Microsoft's risk categories, developing your own metrics for risk classification can go a long way to improving your defenses and patch management programs. Vulnerabilities that target Microsoft Office users who have access to sensitive data are a higher priority to patch. It’s critical to know where sensitive data lies so that you can identify if the data is at risk from these vulnerabilities. SecurityCenter's management and Nessus's auditing capabilities provide you with valuable information to identify where sensitive data resides in your network and help you prioritize your patch schedule.

For example, Nessus can perform a variety of content checks to look for credit card, financial, personal, copyrighted and other types of sensitive data. The dashboard below summarizes a variety of different types of sensitive data audits:


One of the things I like best about the dashboard shown above (which can be downloaded from this entry on the SecurityCenter Dashboard Site) is that you can overlay other types of results, such as the systems that contain vulnerabilities for which an exploit exists. If I had to prioritize a patch rollout, I might start with systems that have access to sensitive data and also have vulnerabilities that can be easily exploited.

To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:


Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.