After attacks, Excel update due from Microsoft
Corporate IT staffers will get a double whammy next week, as both Microsoft and Oracle are set to release critical security updates on the same day, including a likely fix for an Excel bug that has been used by cybercriminals.
This month, Oracle's quarterly software fixes and Microsoft's monthly patches happen to fall on the same day, next Tuesday. For Windows users, there will be a lot to patch. Microsoft plans to release eight updates in total: Five of them are for Windows, with a single update each for Internet Explorer, Excel and Microsoft's Internet Security and Acceleration (ISA) server.
Oracle said Thursday that next week's patches will contain 43 security fixes, including 16 patches for the company's flagship database software. There will also be 12 vulnerabilities patched in the Oracle Application Server, as well as a handful of fixes for the company's E-Business Suite, PeopleSoft and JD Edwards Suite, and for the BEA application server suite.
The Excel update is noteworthy because Microsoft's spreadsheet software has recently been leveraged in a small number of targeted attacks. By tricking users into opening a specially crafted Excel file, criminals can install their malicious software on a victim's machine, Microsoft said. The software vendor has not said for certain whether it will patch this particular Excel flaw next week, but it seems likely.
Microsoft has also warned of a similar flaw in its PowerPoint software, which is also being used in attacks, but no PowerPoint updates are currently scheduled.
"We were hoping to see an update to handle the PowerPoint .pps exploit seeing as this is the hottest Office issue running wild, but from what we can tell at this point, the issue won't be addressed this month," security vendor Lumension said in a statement.
Microsoft rates the IE and Excel fixes as critical, along with three of the Windows updates, meaning a hacker could take advantage of the flaws they patch to run unauthorized software on a PC. The ISA patch is rated important; an attacker could use this bug to crash a system. And the other two Windows flaws could be used to elevate privileges to gain access to unauthorized resources on the PC, Microsoft said.
One of the critical Windows updates is for the DirectX multimedia software, Microsoft said. Another Windows update, rated important, is for the Microsoft Distributed Transaction Coordinator (MSDTC), software that is used by programs such as databases to connect with other parts of the operating system.
The ISA bug is also important, because it could be used by attackers to disable software that is supposed to be protecting corporate networks from online attacks.
Microsoft released some details of next week's patches on its Web site Thursday.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
microsoft
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
