SMBs should prepare for some serious patching this week as Microsoft unveils 16 bulletins for October's Patch Tuesday. As part of its advance notification, the Redmond-based software giant detailed 49 vulnerabilities in its products, setting a new record in vulnerability count. Overall, four of the flaws were flagged as "critical," while 10 more were considered "important." The last two bulletins were tagged as "moderate."
Microsoft says that the various vulnerabilities are spread across the Windows operating system, Internet Explorer, Office and the .NET Framework. On the operating system side, practically every version of Windows is affected, ranging from Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows 2008. The various critical flaws are spread over all the operating systems, so security administrators should be prepared for mandatory system restarts as well.
This bumper crop of Patch Tuesday updates comes on the back of Adobe resolving a total of 23 security flaws in its Adobe PDF Reader software last Tuesday. Twenty of them are considered critical. This means that Adobe thinks they could lead to "code execution," which is what allows hackers to take over their targets. As such, the updates should be applied as soon as possible. For more information, the security bulletin titled APSB10-21 detailed the affected versions of Adobe Reader family of products can be found here.
As you can imagine, it makes sense for administrators in charge of affected nodes to move quickly and install the Adobe patch before Microsoft's patches hit Tuesday. This is a position concurred by Jason Miller, who is the data and security team leader at Shavlik Technologies. Miller, in a prepared statement sent by e-mail, suggested that administrators "look at patching the out-of-band bulletin released by Microsoft last week (MS10-070) and the Adobe critical release for Flash, Reader, and Acrobat if they have not done so yet."
On top of everything, businesses that use Oracle's products will also have to content with a mega-release from the database giant that will patch a staggering 81 vulnerabilities. A slew of products are affected, including the Oracle Database, Oracle Fusion Middleware Executive Summary, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft and JDEdwards Suite, Oracle Siebel Suite, Oracle Primavera Products Suite, Oracle Sun Products Suite and Oracle Open Office Suite. According to ZDNet Zero Day blog, the most serious flaws could result in remote exploitation without the need for any authentication, so this update is definitely not something to be overlooked.
As they say, it's better to spend some time performing pre-emptive software updates than to waste a vast amount of resources stopping and fixing a security incident.