Microsoft, Adobe, Oracle offer fixes in big Patch Tuesday

Critical security patches from Microsoft, Adobe, Oracle will keep IT administrators busy.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read

Microsoft fixed 25 holes on Tuesday, including critical ones for Windows that could be triggered by browsing to a malicious Web page, while Adobe plugged 15 holes in Reader and Acrobat and launched its new updater service.

Oracle also released its own critical patch update, covering nearly 50 new vulnerability fixes across hundreds of its products, on what was turning out to be an uber Patch Tuesday.

Microsoft said customers should deploy all 11 of its security updates, which include five that are critical, as soon as possible. However, three were listed as top priorities:

• MS10-019, which affects all versions of Windows and would allow an attacker to alter signed executable content without invalidating the signature

• MS10-026, which is critical on Windows 2000, XP, Server 2003 and Server 2008, and could allow an attacker to take complete control if a victim were to open a malicious AVI (Audio Video Interleave) file or had it stream from a Web site

• MS10-027, which affects Windows 2000 and XP users and could be triggered if they visited a malicious Web page, according to its bulletin summary.

It is likely that there will be reliable exploit code developed for MS10-026 and MS10-027, according to a Security Research & Defense item that details the risks associated with each of the bulletins.

security bulletins
This chart lists the nine security bulletins affecting Windows, the versions affected, and a rating of how important they are. Microsoft

Microsoft also closed out two existing security advisories involving flaws for which exploit code is in the wild. One is 981169, which involves a vulnerability in VBScript that could allow the remote execution of code and a complete takeover of the system if a user pressed the F1 key while visiting a Web page with a malicious dialog box on it. Disclosed on March 1, it affects older versions of Windows running Internet Explorer. The other advisory to be closed is 977544, which involves a hole in Server Message Block (SMB) protocol that could allow a denial-of-service attack and that dates back to November.

Other vulnerabilities fixed in the bulletins include a hole in Windows Media Services on Windows 2000 Server, a vulnerability in Microsoft Office Publisher that could allow remote code execution, and holes in Exchange, Windows SMTP Service and Office Visio.

Microsoft said it made some technology changes affecting all Windows Kernel updates starting with MS10-021 to resolve an issue that led to some systems crashing during the February security update because they were infected with the Alureon rootkit program that had made changes to the operating system kernel.

Going forward, Kernel updates will include "detection logic for unusual conditions or modifications to the Windows Kernel binaries, " so that if certain conditions are detected the update will return an error message to the user and fail to install, Jerry Bryant, group manager for Microsoft Response Communications, wrote in a blog post. Customers who see the error should contact Microsoft's customer service and support team for help in determining if there is malware on the system.

Microsoft also updated its Malicious Software Removal Tool to include Win32/Magania, a password-stealing Trojan.

Software affected by the Microsoft updates is Windows 2000, XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System and Exchange Server 2000, 2003, 2007, and 2010.

Meanwhile, Adobe released new versions of Acrobat and Reader that plugged critical holes that could cause the application to crash or even allow an attacker to take control of the system if a victim were to open malicious PDF files. The updates fix vulnerabilities involving cross-site scripting, memory corruption, font handling, buffer overflow and denial-of-service issues. They affect Reader 9.3.1 for Windows, Mac, and Unix, Acrobat 9.3.1 for Windows and Mac, and Reader 8.2.1 and Acrobat 8.2.1 for Windows and Mac. Adobe provides more information on its update and patch services in a blog post.

Finally, Oracle released its critical patch update covering 47 holes, 16 of them in Sun Solaris alone and many of which can be remotely exploited without authentication, according to an advisory. Affected software includes Oracle Database, Oracle Fusion Middleware, Oracle Collaboration Suite, Oracle Applications Suite, PeopleSoft and JDEdwards Suite and Oracle Industry Applications.

"This is going to be quite the month for IT administrators," Joshua Talbot, security intelligence manager at Symantec Security Response, said in a statement. "With a large number of patches coming from Microsoft and Oracle, including two from Microsoft for public vulnerabilities, and a handful more patches from Adobe, automating the patching process becomes even more critical to ensure that nothing slips through the cracks."

"The critical Microsoft WinVerifyTrust signature validation vulnerability can be used to really enhance social engineering efforts," said Talbot. "It allows an attacker to fool Windows into thinking that a malicious program was created by a legitimate vendor."

Update 1:45 p.m. PDT: Story now reflects that Oracle has released its security update.