Business to be hit by bumper Microsoft and Oracle security updates

IT security administrators will have their hands full with a bumper crop of security patches due from Microsoft and Oracle soon after updates from Adobe.

IT security administrators will have their hands full with a bumper crop of security patches due from Microsoft and Oracle soon after updates from Adobe.

Microsoft is set to release a record Patch Tuesday monthly security update for October, with 16 planned patches aimed at fixing 49 vulnerabilities according to the advance notification.

This tops the previous record of monthly patches aimed at 34 vulnerabilities set in October 2009 and matched in June and August 2010.

Four bulletins due for release on 12 October have a rating of "critical" and affect all versions of Windows, including Windows 7 and 2008R2, and 10 bulletins are rated "important".

One of the critical updates is for Internet Explorer, applicable to version 6, 7 and 8, said Wolfgang Kandek, chief technology officer at security firm Qualys.

Microsoft Office is affected by two bulletins, one for Word and one for Excel on all platforms including Mac OS X.

Each vulnerability is rated with a severity of "important", which is Microsoft's standard rating for file format vulnerabilities, as they require user interaction to be triggered, said Kandek.

For the first time the new Microsoft Word 2010 is included in an advisory, he said.

On the same day as Microsoft's biggest-ever monthly update, Oracle has also issued an advance notice that it plans to release patches for 81 vulnerabilities in its latest quarterly security update.

Oracle said 31 of the vulnerabilities are in its newly acquired Sun products, 16 of which are remotely exploitable.

Seven fixes are planned for Oracle's Database Server, though only one of the vulnerabilities is remotely exploitable.

Of the remaining fixes, 21 fixes are the Peoplesoft and JDEdwards Suite, eight for Fusion Middleware, six for the E-business Suite, four for the Siebel Suite, two for the Supply Chain Products Suite, and one for the Primavera Products Suite.

The Microsoft and Oracle updates come just a week after Adobe released an update for the Adobe Reader and Acrobat product line for Windows, Mac OS X and Unix that fixes 23 vulnerabilities.

It is all trick and no treat for administrators this Halloween with one of the largest patch loads this year, said Paul Henry, forensics and security analyst at security firm Lumension.

The bumper Patch Tuesday comes hard on the heels of Microsoft's proposal that infected PCs should be quarantined.

Microsoft has published a paper that sets out proposals for a public health model of security that would require all PCs to have valid health certificates to connect to the internet.

"It is important to remember that it is always better to prevent infection than to have to clean it up afterwards," said Henry.

Microsoft's Scott Charney, corporate vice-president of the firm's Trustworthy Computing division, uses this as one of the arguments in support of the proposal.

Just as preventative medicine is a lot cheaper than dealing with the consequences of widespread disease in the physical world, he told Computer Weekly, keeping networks clean by notifying users will be less costly for internet service providers than having to deal with widespread malware infections.

Read more on Hackers and cybercrime prevention