For today’s Patch Tuesday, Microsoft released critical fixes for holes that could allow worms to run rampant through business networks, reminiscent of yesteryear’s Blaster and Sasser scourges. Not to be outdone, Oracle will release a whopping 41 patches, including ten that can be “exploited remotely and anonymously,” according to Symantec.
The Microsoft fixes, gathered under Security Bulletin MS09-001, close holes in the Microsoft Server Message Block (SMB) Protocol. Shavlik Technologies’ Eric Shultze writes that attackers could write worms that use NetBIOS connections to attack this flaw and spread themselves throughout networks. Such connections are often allowed through firewalls when they come from computers on the same corporate network, so business PCs are much more at risk from this flaw than home PCs.
Microsoft’s bulletin lists Windows 2000, XP (SP2 and SP3) and Server 2003 as Critical for this patch, while Windows Vista and Server 2008 are at Moderate risk. Get more info from the bulletin.
For its part, Oracle will today release a large batch of critical patches (right now it only has the pre-release announcement up on its site). Symantec’s Alfred Huger says to immediately apply the Oracle Times Ten Data Server and Oracle Secure Backup patches in particular, and that other holes can be remotely attacked without having to know a username and password.
Head to Oracle’s list of critical patch updates for the patches and more info when they’re released, or to read the pre-release announcement.