Feeds

Oracle blocks 51 security holes

Patch bandwagon heralds busy week for DBAs

Providing a secure and efficient Helpdesk

Oracle released a quarterly patch update on Tuesday containing 51 fixes, one less than originally expected.

The January 2007 update contains security bug fixes that address vulnerabilities in a wide range of Oracle enterprise software products including flaws in Oracle Database, Application Server, Enterprise Manager, Identity Management, E-Business Suite, Developer Suite, and the PeopleSoft software packages.

More than half the patches (26 of the 51) involve Oracle's flagship database software products. Nine of these might be exploited without the benefit of knowing a user name or password, potentially making them far easier to exploit. Of these, eight involve Oracle HTTP Server. The promised, but delayed, security fix also affects Oracle's database software.

The Oracle patch batch also includes 12 new security fixes for Oracle Application Server, eight of which may be remotely exploitable without authentication, as well as seven new security fixes for the Oracle E-Business Suite. Three patches for Oracle PeopleSoft Enterprise PeopleTools, one of which may be remotely exploitable without logging on, and six patches for Oracle Enterprise Manager (five remotely exploitable) complete the unfestive 51.

Secunia reports that the impact of some of the vulnerabilities is unclear while others might be harnessed to gain access to sensitive information, run denial of service attacks, or conduct cross-site scripting and SQL injection attacks.

Oracle has been criticised in the past over the time it takes to develop security patches, and been asked to be more transparent about its security practices. In October, during its last release cycle, Oracle began rating the severity of bugs in its applications according to the Common Vulnerability Scoring System (CVSS), an industry-wide initiative designed to standardise vulnerability rating. Oracle rates this quarter patch batch at 7.0 in a scale from zero to 10, where 10 indicates impending internet meltdown (or some such calamity).

Amichai Shulman, CTO of Israeli database and application security firm Imperva, reckons that some of the vulnerabilities are more severe than Oracle suggests. In particular, he highlighted flaws in Oracle's HTTP server that might be exploited remotely without authentication. "The SSL implementation flaw is the worst of the lot," he added.

A number of the flaws might lend themselves to SQL injections attacks. Exploits would not be difficult for a skilled hacker to craft, Shulman added. Meanwhile, applying the patches would normally involve downtime so it might be some time before enterprises are ready to roll-out fixes.

Long lead times are involved in developing database packages, and this is as true for IBM as it is for Oracle. For this reason releasing Oracle updates on a monthly instead of quarterly basis is unrealistic, according to Shulman.

He added that although Oracle is making some progress in improving its patching process it ought to to be more flexible about the possibility of releasing unscheduled fixes closer to the time when the most severe security flaws are discovered. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.