Oracle Delivers First Monthly Patch RollupBy Lisa Vaas | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
The patch set addresses more than 30 long-known vulnerabilities, as well as 20-plus high-risk flaws recently uncovered by Application Security.Oracle on Tuesday delivered its first-ever monthly rollup of security patches, addressing more than 30 vulnerabilities discovered by Next Generation Security Software Ltd. between January and February, and also tackling more than 20 vulnerabilities that eWEEK.com has learned were recently discovered by Application Security Inc.
Oracle Corp. issued notice of the patches late in the day, narrowly making its promised deadline of delivering the first rollup Aug. 31 after weeks of saying little about the security flaws.
For ASI to classify a vulnerability as high risk means that exploits can be almost as simple as opening a command line and establishing a connection to the database, Gonzales said.
At the time this story went to press, ASI was planning to burn the midnight oil as it tests Oracle's patches to determine their effectiveness running on various operating systems.
And ASI continues to uncover more vulnerabilities, Gonzales said. "We discovered about 20 of these vulnerabilities, and it's growing," he said. "Every vulnerability encompasses a ton of other vulnerabilities. We're trying to nail down what packages and functions they affect. They're all interrelated. Developers are coming over to me every other hour, telling me there's something new."
Oracle recommended prompt patching. "Providing customers with information and workarounds for security vulnerabilities is vital to protecting information systems," the company said in a statement.
"To that end, Oracle is informing customers that potential security vulnerabilities have been discovered in Oracle's Database and Application Server and Enterprise Manager products. Oracle recommends that customers apply patches for these potential vulnerabilities."
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
The sheer number of Oracle vulnerabilities found since January, added to the fact that Oracle has jumped on Microsoft Corp.'s monthly patch release bandwagon, suggest that Oracle could be facing the same type of security headaches that have plagued its rival, Gonzales suggested.
"It's been growing," he said. "If you look at what happened to Microsoft in the past, it's in the beginning stages of what's probably going to be coming. Oracle's already been forced to operationalize on a regular basis, just like Microsoft. They now have a security Web page.
"Microsoft has an automatic way of developing bulletins. They're fairly open to security vulnerabilities and addressing them. Oracle will have to do the same thing. I think it's the beginning of more to come. It's the first step in an evolution of how vendors should be managing this stuff."
ASI will issue an update of ASAP, its live-update package for its AppDetective network-based vulnerability-assessment tool, as soon as it's completed testing of the patches and found that they do in fact remedy the vulnerabilities, Gonzales said.