January 17, 2006 3:50 PM PST
Oracle fixes pile of bugs
- Related Stories
Oracle to 'Fortify' its source codeDecember 20, 2005
Halloween treat for Oracle: A database wormNovember 1, 2005
Oracle fixes bugs with mega patchOctober 18, 2005
When security researchers become the problemJuly 27, 2005
Oracle dragging heels on unfixed flaws, researcher saysJuly 19, 2005
The "Critical Patch Update" delivers remedies for 37 flaws related to Oracle's Database products, 17 related to Application Server, 20 to the Collaboration Suite, 27 to E-Business Suite and Applications, one to PeopleSoft's Enterprise Portal and one in JD Edwards software.
Some of the flaws carry Oracle's most serious rating, which means they're easy to exploit and an attack can have a wide impact, according to the alert. "Several of these vulnerabilities are significant, and should be patched as soon as possible," security provider Symantec said in an alert to users of its DeepSight intelligence service.
While there are a lot of fixes, the vulnerabilities are clearly marked, which could make them easier to deal with, Pete Finnigan, a security specialist in York, England, wrote on his blog. "This seems like a good mixed bag of fixes, quite a lot in total," he said. "This time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands."
In addition to the security fixes, Oracle also released a tool to check for default accounts and passwords. It's meant to help businesses defend their systems against the "Oracle voyager" database worm, which takes advantage of those default items.
In response to the Oracle patch release, Symantec raised its ThreatCon global threat index to Level 2, which means an outbreak is expected. It typically does that after a patch release because malicious hackers might use the fixes as a blueprint for attacks.
Oracle has been criticized for being slow to fix security flaws and being unresponsive to researchers who find bugs. Oracle's chief security officer, Mary Ann Davidson, has responded in turn by saying bug hunters themselves can be a problem when it comes to product security. The company recently said it was adding more automation to its bug-checking process.