April 09, 2009, 2:40 PM — Corporate IT staffers will get a double whammy next week, as both Microsoft and Oracle are set to release critical security updates on the same day, including a likely fix for an Excel bug that has been used by cybercriminals.
This month, Oracle's quarterly software fixes and Microsoft's monthly patches happen to fall on the same day, next Tuesday. For Windows users, there will be a lot to patch. Microsoft plans to release eight updates in total: Five of them are for Windows, with a single update each for Internet Explorer, Excel and Microsoft's Internet Security and Acceleration (ISA) server.
Oracle said Thursday that next week's patches will contain 43 security fixes, including 16 patches for the company's flagship database software. There will also be 12 vulnerabilities patched in the Oracle Application Server, as well as a handful of fixes for the company's E-Business Suite, PeopleSoft and JD Edwards Suite, and for the BEA application server suite.
The Excel update is noteworthy because Microsoft's spreadsheet software has recently been leveraged in a small number of targeted attacks. By tricking users into opening a specially crafted Excel file, criminals can install their malicious software on a victim's machine, Microsoft said. The software vendor has not said for certain whether it will patch this particular Excel flaw next week, but it seems likely.
Microsoft has also warned of a similar flaw in its PowerPoint software, which is also being used in attacks, but no PowerPoint updates are currently scheduled.
"We were hoping to see an update to handle the PowerPoint .pps exploit seeing as this is the hottest Office issue running wild, but from what we can tell at this point, the issue won't be addressed this month," security vendor Lumension said in a statement.
Microsoft rates the IE and Excel fixes as critical, along with three of the Windows updates, meaning a hacker could take advantage of the flaws they patch to run unauthorized software on a PC. The ISA patch is rated important; an attacker could use this bug to crash a system. And the other two Windows flaws could be used to elevate privileges to gain access to unauthorized resources on the PC, Microsoft said.
One of the critical Windows updates is for the DirectX multimedia software, Microsoft said. Another Windows update, rated important, is for the Microsoft Distributed Transaction Coordinator (MSDTC), software that is used by programs such as databases to connect with other parts of the operating system.
The ISA bug is also important, because it could be used by attackers to disable software that is supposed to be protecting corporate networks from online attacks.
Microsoft released some details of next week's patches on its Web site Thursday.