[ISN] Oracle CPU Contains Lowest Number Of Database Fixes Ever

From: InfoSec News <alerts_at_private>
Date: Fri, 20 Jan 2012 02:44:58 -0600 (CST)

By Ericka Chickowski
Contributing Editor
Dark Reading
Jan 18, 2012

Oracle's Tuesday release of its Critical Patch Update (CPU) garnered a 
continuation of criticism from the database security community, with 
researchers pointing to a mounting list of unfixed vulnerabilities that 
date back to 2009, even as Oracle's rate of releasing database patches 
continues to plummet. Not counting MySQL updates, which are primarily 
handled by the open-source community, only two out of the 78 fixes in 
yesterday's CPU were database-related, the lowest number released by 
Oracle since it started quarterly CPU releases.

"I am honestly shocked that they only fixed two database 
vulnerabilities," says Alex Rothacker, manager of Application Security 
Inc.'s research arm, TeamSHATTER.

According to Rothacker, his firm currently has nine vulnerabilities 
reported in Oracle's queue of discovered vulnerabilities. While that 
might not seem like a lot on its face, he says, one of them dates back 
to 2009 and five of them can result in privilege escalation. In 
addition, that's only the vulnerabilities discovered by AppSec 
researchers. Based on his conversations with those in the community, 
Oracle has been notified by other vendors and independent researchers 
about many other vulnerabilities, as well.

"There's definitely more stuff out there than just those nine," 
Rothacker says.


Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
Received on Fri Jan 20 2012 - 00:44:58 PST

This archive was generated by hypermail 2.2.0 : Fri Jan 20 2012 - 00:48:46 PST