[ISN] 3 Must-Fix Vulnerabilities Top Oracle CPU Patches

From: InfoSec News <alerts_at_private>
Date: Wed, 17 Oct 2012 04:27:31 -0500 (CDT)
http://www.darkreading.com/vulnerability-management/167901026/security/news/240009195/3-must-fix-vulnerabilities-top-oracle-cpu-patches.html

By Ericka Chickowski
Contributing Writer
Dark Reading
Oct 17, 2012

Systems administrators on all IT fronts will have their hands busy 
patching Oracle vulnerabilities across the software giant's portfolio 
with the release this week of the company's quarterly Critical Patch 
Update. Security experts warn enterprises to pay particular attention to 
this last CPU of the year, which today took the wraps off over 100 fixes 
affecting 10 different product groups, with one or more vulnerabilities 
in each group open to remote exploitation without exploitation.

Of particular note among the fixed vulnerabilities named by Oracle were 
two flaws with a CVSS base score of 10.0, one for the Core RDBMS 
database product and one for Oracle Fusion Middleware's JRockit 
component, as well as another MySQL flaw with a CVSS score of 9.0. 
According to Oracle, the highly critical JRockit fix was actually part 
of a broader Java SE Critical Patch to address multiple vulnerabilities 
affecting the Java Runtime Environment, some of which security pundits 
expected to address zero-day vulnerabilities disclosed by Security 
Explorations last month.

"Many were anticipating Oracle would patch Java Runtime Environment 
(JRE), which they did with Java Runtime Environment Version 7 Update 9 
and Version 6 Update 37," says Marcus Carey, security Researcher for 
Rapid7. "I advise everyone who needs Java to update as soon as 
possible."

According to Wolfgang Kandek, CTO of Qualys, Java is a frequently 
neglected piece of software within many enterprise patch processes, an 
opportunity many hackers have not failed to take advantage of.

"In our research into the vulnerability update cycle, we frequently see 
Java as being one of the slowest moving applications to be updated, 
frequently many update cycles behind in patching," Kandek says. 
"Attackers have adapted to this reality, and many modern exploits go 
first for a Java based attack, as they know that existing, well-known 
vulnerabilities can be exploited reliably."

[...]


--
CISSP and CEH Live OnLine training with ExpandingSecurity.com is the fastest,
easiest way to master the relevant data you need now.  Sign up for the free
weekly PainPill and try a free class.  It is easy.
http://www.expandingsecurity.com/PainPill
Received on Wed Oct 17 2012 - 02:27:31 PDT

This archive was generated by hypermail 2.2.0 : Wed Oct 17 2012 - 02:22:18 PDT