- Related Stories
-
Oracle sews up multiple security holes
April 18, 2006 -
Oracle's oops on security flaw
April 11, 2006 -
Oracle fixes pile of bugs
January 17, 2006 -
Bug hunters, software firms in uneasy alliance
September 6, 2005 -
Following trend, Oracle sets schedule for patches
November 18, 2004
Many of the vulnerabilities are significant; 27 of the 65 bugs could be exploited remotely by an anonymous attacker, Darius Wiles, senior manager for security alerts at Oracle, said in an interview. Oracle has no suggested workarounds for any of the issues. Instead it is urging customers to patch their systems.
"We fix flaws in severity order. The fixes you see in the Critical Patch Update are the most critical," Wiles said. "We strongly recommend to customers that they apply these security patches as soon as they can."
Oracle's July Critical Patch Update delivers remedies for 23 flaws related to Oracle's Database products, one related to the Collaboration Suite, 10 in Application Server, 20 related to E-Business Suite and Applications, four in the Enterprise Manager, two in PeopleSoft's Enterprise portal and one in JD Edwards software.
In addition, the patch bunch includes fixes for four security vulnerabilities in client software that works with the Oracle database. This is only the second time since Oracle started releasing its Critical Patch Update, or CPU, in January 2005 that it has included fixes for software that runs on PCs, not servers.
"Customers need to think about patching desktops for the July CPU, whereas in the majority of CPUs only the database server needs to be patched," Wiles said.
Three of the four flaws in the client software are considered to be severe because they don't require any authentication and can be exploited remotely, according to Oracle's security alert.
One of the new Oracle fixes repairs a database vulnerability the company accidentally detailed in April. Usually secretive about security and critical of researchers who publicly discuss flaws in Oracle products, the company on April 6 itself published a note on its MetaLink customer Web site with details about the unfixed flaw.
In April, Oracle faced criticism for not delivering patches for all its products at the same time. The company is looking to improve on that this time around. "Our aim is to deliver quality patches on the official day of release," Wiles said.
The July patch release should include about 250 software fixes for Oracle products on multiple operating system platforms. Of those, approximately 10 are not available yet, but will be in the coming days. Some might take a bit longer, Wiles said.
Oracle is not aware of any attacks that exploit the flaws addressed in its Critical Patch Update, Wiles said. The company, which has been criticized for its slowness in patching flaws reported by security researchers, is still working on issues that have been brought to its attention and plans to address those in later patch releases, he said.
See more CNET content tagged:
Oracle Corp.,
flaw,
Oracle Database,
client software,
database server
The 250 fixes being released this quarter though show that they've gotten over their complancency and are getting serious about addressing the problems.
- ONLY 65 holes?
-
by Nkully86
July 19, 2006 9:46 AM PDT
- For a high profiled company based around security, 65 holes seems rather extreme. Large comapnies lately have done a poor job at keeping their customer databases to themselves (CitiBank etc.) and if Oracle didn't fix this so soon, it could have caused even more major problems.
-
Reply to this comment
-
(3 Comments)If large companies can rid themselves of these major vulnerabilities, customers can stop worrying about their information within online coorporations.
http://www.essentialsecurity.com/Documents/article17.htm