Oracle on Tuesday delivered its first-ever monthly rollup of security patches, addressing more than 30 vulnerabilities discovered by Next Generation Security Software Ltd. between January and February, and also tackling more than 20 vulnerabilities that eWEEK.com has learned were recently discovered by Application Security Inc.
Oracle Corp. issued notice of the patches late in the day, narrowly making its promised deadline of delivering the first rollup Aug. 31 after weeks of saying little about the security flaws.
Click here to read more about the 30-plus vulnerabilities found at the beginning of the year.
The older patches cover a plethora of vulnerabilities, including the spectrum of NGSS-discovered flaws such as vulnerability to buffer overflow attacks and SQL injection techniques for gaining access to Oracle databases, as well as ASI’s newfound flaws, four of which are deemed high risk.
Eric Gonzales, co-founder and director of marketing at New York-based ASI, told eWEEK.com that one of the newly discovered flaws allows remote attackers to take advantage of a known, default user account and password. Other flaws allow the database to be exploited by a regular user, who can crash the database or escalate his or her privileges to administrator level.
For ASI to classify a vulnerability as high risk means that exploits can be almost as simple as opening a command line and establishing a connection to the database, Gonzales said.
At the time this story went to press, ASI was planning to burn the midnight oil as it tests Oracle’s patches to determine their effectiveness running on various operating systems.
And ASI continues to uncover more vulnerabilities, Gonzales said. “We discovered about 20 of these vulnerabilities, and it’s growing,” he said. “Every vulnerability encompasses a ton of other vulnerabilities. We’re trying to nail down what packages and functions they affect. They’re all interrelated. Developers are coming over to me every other hour, telling me there’s something new.”
Click here for more details on which products are affected by the patches.
Oracle recommended prompt patching. “Providing customers with information and workarounds for security vulnerabilities is vital to protecting information systems,” the company said in a statement.
“To that end, Oracle is informing customers that potential security vulnerabilities have been discovered in Oracle’s Database and Application Server and Enterprise Manager products. Oracle recommends that customers apply patches for these potential vulnerabilities.”
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.
The sheer number of Oracle vulnerabilities found since January, added to the fact that Oracle has jumped on Microsoft Corp.’s monthly patch release bandwagon, suggest that Oracle could be facing the same type of security headaches that have plagued its rival, Gonzales suggested.
“It’s been growing,” he said. “If you look at what happened to Microsoft in the past, it’s in the beginning stages of what’s probably going to be coming. Oracle’s already been forced to operationalize on a regular basis, just like Microsoft. They now have a security Web page.
“Microsoft has an automatic way of developing bulletins. They’re fairly open to security vulnerabilities and addressing them. Oracle will have to do the same thing. I think it’s the beginning of more to come. It’s the first step in an evolution of how vendors should be managing this stuff.”
ASI will issue an update of ASAP, its live-update package for its AppDetective network-based vulnerability-assessment tool, as soon as it’s completed testing of the patches and found that they do in fact remedy the vulnerabilities, Gonzales said.
The security patches are available on Oracle Technology Network and on Oracle’s support site, Metalink.
Check out eWEEK.com’s Database Center at http://database.eweek.com for the latest database news, reviews and analysis.
Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page