Channel News and Analysis - Channel Insider
Empowering the next generation Channel
 

Bull’s Eye Awards
Nominations Open for Channel Insider 2009 Bull’s Eye Awards
Nominations are now open for the Channel Insider 2009 Bull’s Eye Awards, which recognize excellence in customer service, technology prowess, business acumen, channel leadership, communications and community building, and innovation among vendors, solution providers, distributors and channel services companies.



Sponsored Links
  • Control VM Sprawl, What You Don’t Know Can Hurt You
  • FREE Sophos Encryption Tool: Encrypt, compress and share files easily
  • LSI 6Gb/s Portfolio Expands to Include SATA+SAS HBAs
  • Reduce the cost of managing your mobile workers.
  • Find out 7 Ways to Drive Data Center Efficiency
  • SonicWALL breaks through network and email gridlock
  • Save up to 40% on calling costs with Avaya Aura™



    		•  

    Oracle Delivers First Monthly Patch Rollup

    in Channel News and Analysis
    DATE: 2004-08-31 | By Lisa Vaas


    Article Rating:starstarstarstarstar / 0
    Article Views: 880

    Rate This Article:
    Poor Best
    Add This Article To:
    The patch set addresses more than 30 long-known vulnerabilities, as well as 20-plus high-risk flaws recently uncovered by Application Security.

    Oracle on Tuesday delivered its first-ever monthly rollup of security patches, addressing more than 30 vulnerabilities discovered by Next Generation Security Software Ltd. between January and February, and also tackling more than 20 vulnerabilities that eWEEK.com has learned were recently discovered by Application Security Inc.

    Oracle Corp. issued notice of the patches late in the day, narrowly making its promised deadline of delivering the first rollup Aug. 31 after weeks of saying little about the security flaws.

    Click here to read more about the 30-plus vulnerabilities found at the beginning of the year.

    The older patches cover a plethora of vulnerabilities, including the spectrum of NGSS-discovered flaws such as vulnerability to buffer overflow attacks and SQL injection techniques for gaining access to Oracle databases, as well as ASI's newfound flaws, four of which are deemed high risk.

    Eric Gonzales, co-founder and director of marketing at New York-based ASI, told eWEEK.com that one of the newly discovered flaws allows remote attackers to take advantage of a known, default user account and password. Other flaws allow the database to be exploited by a regular user, who can crash the database or escalate his or her privileges to administrator level.

    Resource Library:
    Oracle was silent about the security flaws for far too long, Database Center Editor Lisa Vaas writes. Click here to read more.

    For ASI to classify a vulnerability as high risk means that exploits can be almost as simple as opening a command line and establishing a connection to the database, Gonzales said.

    At the time this story went to press, ASI was planning to burn the midnight oil as it tests Oracle's patches to determine their effectiveness running on various operating systems.

    And ASI continues to uncover more vulnerabilities, Gonzales said. "We discovered about 20 of these vulnerabilities, and it's growing," he said. "Every vulnerability encompasses a ton of other vulnerabilities. We're trying to nail down what packages and functions they affect. They're all interrelated. Developers are coming over to me every other hour, telling me there's something new."

    Click here for more details on which products are affected by the patches.

    Oracle recommended prompt patching. "Providing customers with information and workarounds for security vulnerabilities is vital to protecting information systems," the company said in a statement.

    "To that end, Oracle is informing customers that potential security vulnerabilities have been discovered in Oracle's Database and Application Server and Enterprise Manager products. Oracle recommends that customers apply patches for these potential vulnerabilities."

    For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

    The sheer number of Oracle vulnerabilities found since January, added to the fact that Oracle has jumped on Microsoft Corp.'s monthly patch release bandwagon, suggest that Oracle could be facing the same type of security headaches that have plagued its rival, Gonzales suggested.

    "It's been growing," he said. "If you look at what happened to Microsoft in the past, it's in the beginning stages of what's probably going to be coming. Oracle's already been forced to operationalize on a regular basis, just like Microsoft. They now have a security Web page.

    "Microsoft has an automatic way of developing bulletins. They're fairly open to security vulnerabilities and addressing them. Oracle will have to do the same thing. I think it's the beginning of more to come. It's the first step in an evolution of how vendors should be managing this stuff."

    Click here to listen to an archived version of eWEEK.com's recent eSeminar on protecting customer data.

    ASI will issue an update of ASAP, its live-update package for its AppDetective network-based vulnerability-assessment tool, as soon as it's completed testing of the patches and found that they do in fact remedy the vulnerabilities, Gonzales said.

    The security patches are available on Oracle Technology Network and on Oracle's support site, Metalink.

    Check out eWEEK.com's Database Center at http://database.eweek.com for the latest database news, reviews and analysis.

    Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page



    Discuss Oracle Delivers First Monthly Patch Rollup
     
    >>> Be the FIRST to comment on this article!
     

     
     
    >>> More Channel News and Analysis Articles          >>> More By Lisa Vaas
     



    		 

    Related Content

    Articles Labs/How-To Multimedia


    [ci] feeds
    XML
    Add Channel News, Product Reviews, Trends and Analysis to your RSS newsreader or My Yahoo!

    HTML PLAIN TEXT

    Keep on top of news for VARs and Resellers with CI's Weekly Newsletter and Alerts.

     

    CHANNEL RESOURCE CENTER
     
     
    Enterprise Mobility Zone
    The Enterprise Mobility Zone (EMZ) blog is a tool designed to help senior IT executives discuss, create and deploy next-generation mobile strategies in their organizations.
    Go beyond yesterday's tactical approach to mobility!
     
    Build A More Efficient Data Center
    Demands are growing but budgets are not. Solve your pressing IT issues using the resources you already have. Determine which technologies can help you drive efficiencies and how they are applied. Gain a quick ROI on new initiatives
    Find out how
    Let Enterprise TechBrief do the work for you. Aggregated content, tech news, product reviews, vendor updates, how-to’s—all you need to boost your efficiencies and cut costs, all from one place.
    enterprisetechbrief.com