Microsoft Corp. last week released eight security updates that patch 23 vulnerabilities in Windows, Internet Explorer, Excel and other software products in the company's portfolio.
Analysts noted that even more dangerous than the unusually large number of patches is the fact that nearly half of them fix flaws that have already been or can be exploited by hackers.
“What really caught our eye is the large number of exploits that are already available,” said Wolfgang Kandek, chief technology officer at Qualys Inc., a provider of on-demand security tools. “Out of the 23, there are 10 exploits or [flaws] that have proof of concept.”
“You could call this a spring cleaning,” said Eric Schultze, CTO at Shavlik Technologies LLC, a network security vendor. “Microsoft jumped on a couple of zero-days, including Excel from February and WordPad from last December. It's nice to see those taken care of.”
Kandek and Amol Sarwate, manager of the vulnerability research lab at Qualys, recommended that users first patch the 10 flaws that have known exploits by applying the “critical” updates for Excel and WordPad, and an “important” patch designed to fix the so-called token-kidnapping issues in Windows. “Critical” and “important” are the top two rankings in Microsoft's four-step threat-scoring system.
Meanwhile, Oracle Corp. last week released 43 security fixes for a range of products, including its flagship database and the Oracle Application Server. The patches also fix flaws in its E-Business Suite and PeopleSoft Enterprise applications, and its WebLogic application server.
Oracle said that 16 of the patches are for various database versions. The most severe vulnerability, which affects Versions 184.108.40.206 and 220.127.116.11DV, “can potentially allow an attacker to gain full control of a vulnerable server,” according to a post on Oracle's global product security blog.
The update also includes patches for eight vulnerabilities in Oracle's WebLogic and AquaLogic products, including JRockit, and for WebLogic Server plug-ins for Apache and IIS Web servers, according to the blog post.