February 18, 2003 4:39 PM PST
Oracle plugs six-pack of flaws
Redwood Shores, Calif.-based Oracle released patches for the six vulnerabilities--four deemed critical and two merely serious--last week.
Oracle has tried to structure the way it releases patches for its products, so that customers aren't inundated with fixes, said Mary-Ann Davidson, the company's chief security officer.
"I always worry about whether people apply the patches," she said. "We did revise our bug handling, so we have a formula for what is big and nasty. If it's above a certain severity threshold, we can release the fix as a one-off, before we release an (entire) patch set."
The formula includes factors such as how widely used the impacted software is and what effects exploiting the flaw can have.
The current flaws include four critical buffer overflows in various components of Oracle's database server software, including its latest Oracle 9i Release 2. Buffer overflows, or overruns, occur when an application does not handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application. Each of the four flaws could allow a malicious user--someone who already has some access to the database--to gain complete control of the server.
Two other vulnerabilities could use other Oracle components to cause a denial-of-service attack.
Davidson said that six flaws, in five advisories, may sound a daunting number but that Oracle decided that separating the alerts made more sense than releasing a single combined notification, a strategy occasionally used by Microsoft.
"We aren't going to play that game," she said. "We could have bundled all of these into one alert, but we thought that would have been confusing to people."