Businesses face deluge of patches from Microsoft and Oracle

IT security administrators will have to deal with more than 10 security patches from Oracle and nine from Microsoft this week.

Oracle's quarterly patch release has coincided with Microsoft's monthly Patch Tuesday security update.

The most critical Oracle patches target vulnerabilities in Oracle Secure Backup and BEA's JRockit Complex Event Processing and WebLogic application server.

Oracle warned that three of 10 database vulnerabilties can be exploited across a network without a user name or password.

Two patches are for Oracle Application Server weaknesses that can also be exploited remotely without authentication.

Other patches fix vulnerabilities in Oracle E-Business Suite components, the PeopleSoft Enterprise, JD Edwards Enterprise One and Siebel application sets, and Oracle Enterprise Manager.

Microsoft issued six security updates to patch nine vulnerabilities, six of which were ranked critical.

Microsoft applications updated include Windows, Publisher, Internet Security and Acceleration Server (ISA) 2006, and Microsoft's client and server virtualisation software.

The patches finally included fixes for vulnerabilities in the Internet Explorer ActiveX control and DirectShow, which attackers have been exploiting for weeks.

Microsoft acknowledged ongoing attacks exploiting a weakness in DirectShow in May and last week that the ActiveX control weakness was discovered 18 months ago.

But Microsoft has failed to release a fix for a problem with Office Web Components, disclosed on Monday, which is being used to attack Windows users.

Dave Marcus, director of McAfee Avert Labs said Windows users continue to be under attack due to an exploit of the vulnerability.

"The attacks involve booby trapped websites that load malicious code onto a vulnerable computer. The compromised PCs are commandeered and join a botnet, a network of hijacked computers," he said.

Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious website or opens a rigged Office document, said Marcus.

"Today's Microsoft patches once again underline the risk of using the Internet unprotected," he said. "Criminals today rely on the web and e-mail to deliver malicious software."