Microsoft, Oracle Patches Lead Security Week

It was a week of patches that are sure to create some extra work for administrators.

Microsoft broke its record for the most patches ever Oct. 12, releasing a total of 16 security bulletins to fix 49 vulnerabilities across its products. One of the fixes patched a zero-day issue exploited by the Stuxnet worm. According to security pros, the most critical updates, however, were the Internet Explorer bulletin and a bulletin covering a vulnerability in the Embedded OpenType Font Engine.

Not to be outdone, Oracle pushed out its final update of the year with 85 security fixes. Of the 85, 33 are focused on the Oracle applications suites, with the breakdown as follows: six for Oracle e-Business, two for Oracle Supply Chain products, 21 for the Oracle PeopleSoft and JDEdwards suite, and four for the Oracle Siebel suite.

Thirty-one of the vulnerabilities affect the Oracle Sun product suite (Solaris), including 11 Oracle classified as remotely exploitable. There are also eight fixes for Oracle Fusion Middleware, seven for the Oracle database, one in Oracle Enterprise Manager Grid Control, one in the Oracle Primavera suite and four for Oracle VM.

"This process should not be taken lightly," said Amichai Shulman, co-founder and CTO of Imperva. "For many organizations, the process of patching lasts a few months—mainly between three to six months. DBAs [database administrators], system and IT admins, developers—all these play a role in the patching process. As resources and time are constrained, servers are left vulnerable for months after the release of a patch. Of course, the addition of more patches to different parts of the system—such as when MS patches pertain to servers—just adds complexity to the patching process."

Facebook appeared in the security news again this week, this time with a new feature meant to protect user passwords. Facebook is gradually rolling out the ability to text a one-time password to users concerned about working on machines other than their normal computers, such as public computers in hotels, cafes or airports.

"Simply text 'otp' to 32665 on your mobile phone, and you'll immediately receive a password that can be used only once and expires in 20 minutes," blogged Jake Brill, product manager for Facebook's integrity team. "In order to access this feature, you'll need a mobile phone number in your account. We're rolling this out gradually, and it should be available to everyone in the coming weeks."

Officials at McAfee, meanwhile, discussed their "Security Connected" vision, outlining integration and management plans across its portfolio. In addition, Microsoft released an update Security Intelligence Report that named the United States as home base for more than 2 million bot-infected PCs, while Sophos reported the United States had retained its title as the top spam-relaying nation in the world.

Rounding out the news, the Lower Merion School District agreed to settle litigation alleging it had used Webcams to spy on students. The district settled the matter for $610,000, ending several months of legal wrangling.