April 18, 2006 1:36 PM PDT
Oracle sews up multiple security holes
The Critical Patch Update delivers remedies for 14 flaws related to Oracle's Database products, five related to the Collaboration Suite, one in Application Server, 15 related to E-Business Suite and Applications, two in the Enterprise Manager, one in PeopleSoft's Enterprise portal and one in JD Edwards software.
In addition to the security fixes, Oracle said it has made "significant" changes to an existing tool that checks for default accounts and passwords. The tool was released in January as a response to the "Oracle voyager" database worm, which exploits those default items.
"Several of these vulnerabilities are significant, and should be patched as soon as possible," security provider Symantec said in an alert to users of its DeepSight intelligence service. "No workarounds for these issues have been published by Oracle."
The number of fixes is lower this quarter than in preceding quarters, noticed Pete Finnigan, a security specialist in York, England, who wrote about the patches on his blog. While Oracle provides few details on the problems, Finnigan notes that most of the database bugs appear to relate to the naming of the broken packages, he wrote.
Finnigan also noted that while Oracle released its bulletin, it won't have fixes available for all its products on all operating systems until May 1. "I think it is bad form that Oracle release an advisory telling customers to patch their databases, but for many customers they will have to wait," Finnigan wrote. "It is not really a quarterly patch schedule if the patches are not available quarterly."
The business software maker has come under fire for being slow to patch security holes and for not collaborating well with researchers who find bugs. Oracle's chief security officer, Mary Ann Davidson, has responded in turn by saying bug hunters themselves can be a problem when it comes to product security.
In its patch bulletin, the company credited a number of researchers with reporting vulnerabilities. These include Alexander Kornbrust of Red Database Security, Esteban Martinez Fayo of Application Security and David Litchfield of Next Generation Security Software, who claimed discovery of Oracle Database flaws in a posting to the Full Disclosure mailing list.