[ISN] Oracle fixes pile of bugs

From: InfoSec News (isn@private)
Date: Wed Jan 18 2006 - 01:06:44 PST


By Joris Evers 
Staff Writer, CNET News.com
January 17, 2006

As part of its quarterly patch cycle, Oracle released on Tuesday fixes 
for a long list of security vulnerabilities in many of its products. 

The "Critical Patch Update" delivers remedies for 37 flaws related to 
Oracle's Database products, 17 related to Application Server, 20 to 
the Collaboration Suite, 27 to E-Business Suite and Applications, one 
to PeopleSoft's Enterprise Portal and one in JD Edwards software. 

Some of the flaws carry Oracle's most serious rating, which means 
they're easy to exploit and an attack can have a wide impact, 
according to the alert. "Several of these vulnerabilities are 
significant, and should be patched as soon as possible," security 
provider Symantec said in an alert to users of its DeepSight 
intelligence service. 

While there are a lot of fixes, the vulnerabilities are clearly 
marked, which could make them easier to deal with, Pete Finnigan, a 
security specialist in York, England, wrote on his blog. "This seems 
like a good mixed bag of fixes, quite a lot in total," he said. "This 
time it seems possible to isolate the areas affected in more cases due 
to the more explicit naming of some packages, programs and commands." 

In addition to the security fixes, Oracle also released a tool to 
check for default accounts and passwords. It's meant to help 
businesses defend their systems against the "Oracle voyager" database 
worm, which takes advantage of those default items. 

In response to the Oracle patch release, Symantec raised its ThreatCon 
global threat index to Level 2, which means an outbreak is expected. 
It typically does that after a patch release because malicious hackers 
might use the fixes as a blueprint for attacks. 

Oracle has been criticized for being slow to fix security flaws and 
being unresponsive to researchers who find bugs. Oracle's chief 
security officer, Mary Ann Davidson, has responded in turn by saying 
bug hunters themselves can be a problem when it comes to product 
security. The company recently said it was adding more automation to 
its bug-checking process. 

Copyright 1995-2006 CNET Networks, Inc. All rights reserved. 

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Wed Jan 18 2006 - 01:17:21 PST