IT managers deluged with critical security patches

Administrators were kept busy yesterday with six fixes from Microsoft and 30 from Oracle

IT managers face a barrage of security updates this week, after both Microsoft and Oracle released a range of issues and fixes on Tuesday.

Microsoft's patches appeared overnight for UK firms, and range from 'critical' to 'important'. IT managers who have waited a year to see an infamous ActiveX vulnerability plugged will be relieved to see that a fix for that issue has been included, along with others that prevent remote code execution and could contribute to botnet infections and denial of service attacks.

However, Microsoft's release of six patches for nine vulnerabilities pales into insignificance when compared to the 30 vulnerability fixes from Oracle.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the fixes as soon as possible. This Critical Patch Update contains 30 new security fixes across all products," the firm said.

Ten of the fixes apply to Oracle databases, and 20 to applications.

Monthly patch updates were designed in part to make it easier for firms to manage their security cycles, but the system has its critics.

Andrew Clarke, senior international vice president at Lumension, said that the range and complexity of the fixes left companies ripe for exploitation.

"With this month's Patch Tuesday, nearly every popular web browser (Microsoft, Apple, Mozilla and Google) required some form of immediate attention, leaving IT departments scrambling to install a patch or workaround to deal with potentially significant issues," he said.

Microsoft was also criticised for not releasing a fix for all currently identified problems in its latest security patches.

"Despite today's fixes, Windows users continue to be under attack. McAfee has recently seen new attacks that exploit the unpatched Office Web Components vulnerability," said Dave Marcus, director of security research and communications at McAfee Avert Labs.

"The attacks involve booby-trapped web sites that load malicious code onto a vulnerable computer. The compromised PCs are commandeered and join a network of hijacked computers."

Wolfgang Kandek, chief technology officer at Qualys, commented on the severity of the patches, and urged firms to update systems as soon as possible.

"These three advisories should be addressed immediately, as they allow the attacker to fully control the victim's computer," he said.