Patch Tuesday: A Review of the Must-Have Fixes from Microsoft, Adobe and Oracle

For most System Administrators, Patch Tuesday is a regular event that signals that there is work to be done. For home computer users, it’s when their computer (if properly configured) either automatically installs new Microsoft patches or prompts them to do so. Inevitably, a reboot or two will be required. While it may seem like a bit of a pain, it’s a crucial task that affords effective protection against the most obvious and popular avenues of exploit often used by hackers.

This Tuesday was no different, in the sense of Microsoft patches. This time around, though, Adobe and Oracle joined in the update fun by making available some critical patches that system administrators and home users alike should install as soon as possible. What’s included on this list that you should know about? Let’s go through the list to make sure you’re in-the-know.

Microsoft Updates

In total, Microsoft reportedly provided patches for (25) holes. Several of the critical fixes, which could be exploited by maliciously encoded web pages. Microsoft patches included in the April 13, 2010 MS Bulletin include: MS10-019 (Critical), MS10-020 (Critical), MS10-021, MS10-022, MS10-023, MS10-024, MS10-025 (Critical), MS10-026 (Critical), MS10-027 (Critical), MS10-028, and MS10-029. The critical ones are marked as such. The rest are either categorized as “Important” or “Moderate” by Microsoft. This doesn’t mean they don’t need to be installed, though. The updates are there, and it may seem time-consuming. Trust us, though, when we say the alternative (i.e. OS/software corruption, data loss, or, even worse, Bot infestation) is much worse.

Oracle Updates

For their part, Oracle was also busy providing fixes for their various software offerings. Reported to address around (50) confirmed vulnerabilities, the company’s patch list covers software such as the Oracle Database 11g, 10g, and 9i (multiple releases/versions), Oracle Application Server 10gR2 (version 10.1.2.3.0), Oracle Identity Management 10g (multiple versions), and the Oracle Collaboration Suite 10g (version 10.1.2.4). The complete list of affected software can be found on Oracle Critical Patch Update Advisory – April 2010, on the company’s official website.

Adobe Updates

Adobe, which is famous (or infamous) for its quarterly patch releases, provided fixes for (15) vulnerabilities for its Adobe Reader and Adobe software. Several of these address vulnerabilities, which if unmitigated, could allow a remote attacker to take control of a user’s system, via maliciously encoded PDF files (sounds familiar, right?). In Adobe’s case, several Adobe versions on different Operating Systems are affected, to include Microsoft Windows, Apple’s Mac OS X, and Unix. A complete list of available patches is available on the Adobe Security Bulletin for April 13, 2010, on their official website.

Especially for system administrators, this month’s list is a daunting one. While many users think it is as simple as the home security updates, with a confirmation to install and a reboot, administrators of both small and large Local Area Networks (LANs) have to test vendor patches to ensure they will not create conflicts with other, specialized applications on production machines used by the company. This is often one of the reasons that systems remain unpatched and, ultimately, fall victim to malicious logic attacks that could have easily been avoided.

So, if your company’s system administrator or solo-flying IT guru seems a little frazzled in the next few days, buy them something with caffeine or slip them a donut. You can be sure they’ll appreciate the pick-me-up.