July 18, 2006 2:44 PM PDT

Oracle plugs 65 security holes

As part of its quarterly patch cycle, Oracle on Tuesday released fixes for 65 security vulnerabilities that affect many of its products.

Many of the vulnerabilities are significant; 27 of the 65 bugs could be exploited remotely by an anonymous attacker, Darius Wiles, senior manager for security alerts at Oracle, said in an interview. Oracle has no suggested workarounds for any of the issues. Instead it is urging customers to patch their systems.

"We fix flaws in severity order. The fixes you see in the Critical Patch Update are the most critical," Wiles said. "We strongly recommend to customers that they apply these security patches as soon as they can."

Oracle's July Critical Patch Update delivers remedies for 23 flaws related to Oracle's Database products, one related to the Collaboration Suite, 10 in Application Server, 20 related to E-Business Suite and Applications, four in the Enterprise Manager, two in PeopleSoft's Enterprise portal and one in JD Edwards software.

In addition, the patch bunch includes fixes for four security vulnerabilities in client software that works with the Oracle database. This is only the second time since Oracle started releasing its Critical Patch Update, or CPU, in January 2005 that it has included fixes for software that runs on PCs, not servers.

"Customers need to think about patching desktops for the July CPU, whereas in the majority of CPUs only the database server needs to be patched," Wiles said.

Three of the four flaws in the client software are considered to be severe because they don't require any authentication and can be exploited remotely, according to Oracle's security alert.

One of the new Oracle fixes repairs a database vulnerability the company accidentally detailed in April. Usually secretive about security and critical of researchers who publicly discuss flaws in Oracle products, the company on April 6 itself published a note on its MetaLink customer Web site with details about the unfixed flaw.

In April, Oracle faced criticism for not delivering patches for all its products at the same time. The company is looking to improve on that this time around. "Our aim is to deliver quality patches on the official day of release," Wiles said.

The July patch release should include about 250 software fixes for Oracle products on multiple operating system platforms. Of those, approximately 10 are not available yet, but will be in the coming days. Some might take a bit longer, Wiles said.

Oracle is not aware of any attacks that exploit the flaws addressed in its Critical Patch Update, Wiles said. The company, which has been criticized for its slowness in patching flaws reported by security researchers, is still working on issues that have been brought to its attention and plans to address those in later patch releases, he said.

See more CNET content tagged:
Oracle Corp., flaw, Oracle Database, client software, database server

3 comments

Join the conversation!
Add your comment
That's interesting...
...whatever happened to 'Unbreakable' Oracle.
Posted by bruce alan (2 comments )
Reply Link Flag
Reality check
Their boasting has come back to haunt them. They made false claims about their "unbreakability" based on a foolish assumption that their code was solid but failed to actually check their code for common vulnerabilities before they started their boasting.

The 250 fixes being released this quarter though show that they've gotten over their complancency and are getting serious about addressing the problems.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
ONLY 65 holes?
For a high profiled company based around security, 65 holes seems rather extreme. Large comapnies lately have done a poor job at keeping their customer databases to themselves (CitiBank etc.) and if Oracle didn't fix this so soon, it could have caused even more major problems.

If large companies can rid themselves of these major vulnerabilities, customers can stop worrying about their information within online coorporations.
<a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article17.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article17.htm</a>
Posted by Nkully86 (59 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.