iManage: Critical patch released for security vulnerability

iManage released a critical update on Wednesday with a fix for an iManage Work Server security vulnerability. Firms have been advised to apply the patch installer on all iManage on-premises environments with Work Servers running from 9.5 R2 through to 10.1.3.
Environments currently running 10.2.0 will need to upgrade to a new build (, according to a statement on iManage reseller Kraft Kennedy’s website. This new build will ensure that future installations will include the fix.

Speaking to Legal IT Insider, Geoff Hornsby (pictured right), general manager at iManage said that the release of the patch was “not a big deal.”
“We run security scans on our systems regularly. We found a problem. We patched it. And we told the community what was going on,” Hornsby said. “This affects people who are on-premises because, obviously if they are in the cloud, we have already done the patch and there is no need to worry.”
Some CIOs at iManage clients that Legal IT Insider spoke to were aware of the problem, while others were not. But Hornsby said that clients had been contacted via the tech support site; that iManage had published the news on other sites including ILTA and that all CIOs were emailed at 8am this morning.
Hornsby said he was unable to discuss the exact nature of the problem or which clients are affected because to do so would “encourage hackers to chase particular pieces of software or client material.” This is reiterated by Kraft Kennedy in its above announcement, in which it says: “The iManage advisory further states that the company will not disclose what the vulnerability is until all customers are patched. This makes sense in light of something we have written about before called the “hacker roadmap concept.”
“It is very important to handle these things in a responsible way, which is what we have done,” Hornsby added. “The feedback we have had is that clients find the way we have handled this reassuring.”
Hornsby went on to say that he had 100 per cent confidence in iManage’s security strength. “Let’s be clear,” he said. “This is not a problem that a client has found. No-one has been attacked. There has been no loss of data. We have identified it, patched it and let people know.”
One iManage partner told Legal IT Insider: “This is the new world we live in and bad things have happened to organisations that don’t apply their patches in a timely fashion. But you can serve a very useful public service in ensuring that everyone is aware of the issue and the need to patch.”
Amy Carroll