If you build it, will they come?
Apparently not when it comes to Oracle's quarterly Critical Patch Updates (CPUs).
Database security firm Sentrigo released some surprising numbers Monday, culled from a survey of 305 database administrators, consultants, and developers in attendance at Oracle Users Group meetings last year.
The survey found that a staggering two-thirds of respondents had never applied an Oracle quarterly CPU. Not one, nada, a big fat zero.
And of the remaining 33 percent of survey respondents who did, only 10 percent noted they had gotten around to applying Oracle's more recent CPU, or the one before that.
"When it comes to installing the CPUs, it involves testing the applications that are running on the database. A single database may run three or four applications, or thousands of them. It takes a lot of time, and fixing a bug here, or there, in the database can affect the application," said Slavik Markovich, Sentrigo's chief technology officer.
Hopefully, database administrators will step up to the plate and take a swing at this cumbersome task, given Oracle is set to release its next quarterly Critical Patch Update on Tuesday--and we're talking 27 security patches across hundreds of Oracle products.
The upcoming CPU includes eight security patches for Oracle's database and six for its Oracle Application Server. While the database security flaws are believed to be less problematic in that the bad guys can't exploit them without such authentication as username and passwords, the Oracle Application Server security vulnerabilities aren't so lucky. These security flaws could be remotely exploited without authentication.
Despite this work ahead--or not if you're part of the group that never deploys the Oracle CPUs--one thing that you may find heartening is the 27 patches are far less than the 101 security fixes Oracle doled out in October 2006, as part of its Critical Patch Update.
(Credit:
Yahoo Inc.)
Got Yahoo Messenger? Hit refresh.
Yahoo on Thursday issued a patch for a highly critical security flaw, just a week after it issued another Yahoo IM security update.
In this latest case, a security flaw was discovered in the ActiveX control, which is part of the Yahoo services suite that is typically downloaded with the Yahoo Messenger installer. The vulnerability could be exploited if a user visits a malicious Web site, which in turn could lead to a buffer overflow attack and launch of arbitrary executable code.
Not a good thing.
Yahoo is calling on users to update to version 8.1.0.419. That would apply to any user running a version older than Wednesday.
On the bright side, Yahoo says it knows of no exploits for this particular flaw at this time.
On Wednesday, Cisco Systems issued 10 security updates--three of which address vulnerabilities that can cause "moderate" damage to users' systems.
Although Cisco lists the security flaws as "moderate," it ranks them a "4" on its 5-point severity scale. And in two of the three cases, attackers could gain access without the need to authenticate their identity.
Various versions of the Cisco CallManager and IOS products contain the security flaws, according to Cisco's security advisory.
The Cisco CallManager and IOS products contain security flaws that relate to processing malformed Session Initiation Protocol (SIP) packets. The packets, which are used to create and manage communications in such applications as VoIP and teleconferencing, could trigger a denial-of-service attack as they attempt to handle malicious SIP packets.
Security flaws were also found in Cisco IOS relating to its Next Hop Resolution Protocol packets, as well as its secure copy server operations in some versions of IOS.
Cisco issued an update for numerous versions of IOS, in an effort to patch a security flaw within its Next Hop Resolution Protocol packets and their boundary checking parameters. Malicious attackers could exploit the vulnerabilities by sending a malicious packet to users' systems, triggering a buffer overflow attack.
In the case of the secure copy (SCP) server flaws, an authenticated remote attacker could exploit a flaw in certain versions of Cisco IOS. The vulnerabilities are a result of insufficient enforcement of access restrictions, when performing secure copy operations within IOS. As a result, attackers with minimal read-access privileges could perform SCP operations as though they had maximum privileges.
Microsoft has released its July 2007 security bulletin, which includes six updates: three are designated "critical" by the software giant; two are deemed "important," and one is ranked "moderate." Two affect Microsoft Office, and one affects the Windows Vista Firewall. This patch cycles also addresses one flaw first reported in 2005. To keep your Windows XP SP1 system secure, update to Windows XP SP2 today. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
MS07-036: Critical
Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)," this bulletin affects users of Microsoft Office Excel 2000, 2002, 2003 and 2007, as well as the Microsoft Office compatibility pack for Office 2007, and addresses the vulnerabilities detailed in CVE-2007-1756, CVE-2007-3029 and CVE-2007-3030. Successful exploitation could lead to remote code execution.
MS07-037: Important
Titled "Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution (936548)," this bulletin affects users of Microsoft Office Publisher 2007, and does not affect Microsoft Office Publisher 2000, 2002 or 2003, and addresses the vulnerabilities detailed in CVE-2007-1754. Successful exploitation could lead to remote code execution.
MS07-038: Moderate
Titled "Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)," this bulletin affects users of Windows Vista (32-bit and 64-bit), but does not affect Windows 2000, XP, and Windows Server 2003, and addresses the vulnerability detailed in CVE-2007-3038. Successful exploitation could allow an attacker to gather information about the affected host.
MS07-039: Critical
Titled "Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)," this bulletin affects users of Windows 2000 Server and Windows Server 2003, and does not include Windows 2000, Windows XP and Windows Vista. It addresses the vulnerabilities detailed in CVE-2007-0040 and CVE-2007-3028. Successful exploitation could allow an attacker to take complete control of an affected system, install programs; view, change or delete data; or create new accounts.
MS07-040: Critical
Titled "Vulnerabilities in .Net Framework Could Allow Remote Code Execution (931212)," this bulletin affects users of .Net Framework 1.0, .Net Framework 1.1 and .Net Framework 2.0 on all Windows platforms, and does not affect users of .Net Framework 3.0 on all Windows platforms, and addresses the vulnerabilities detailed in CVE-2007-0041, CVE-2007-0042 and CVE-2007-0043. Successful exploitation could allow remote code to execute as well as information disclosure.
MS07-041: Important
Titled "Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)," this bulletin affects users of Microsoft Internet Information Services (IIS) 5.1 running on Windows XP Professional SP 2, and does not affect Windows 2000, Windows XP Home SP 2, Windows Server 2003 and Windows Vista. It addresses the vulnerability detailed in CVE-2005-4360. Successful exploitation could allow an attacker to take complete control of the affected system.
How about a security patch to take that bitter edge off your Java brew?
Sun Microsystems issued a security update on Thursday that is designed to patch vulnerabilities in its Java Web Start application, which allows software for the Java platform to be launched using a Web browser.
The security flaws, described as "highly critical," were found in Java Web Start versions JDK and JRE 5.0 Update 11 and earlier, as well as Java Web Start in SDK and, on Windows, version JRE 1.4.2_13 and earlier, according to a security advisory by Secunia.
Sun issued two security updates, one for Java Web Start in JDK and JRE 5.0 Update 12 or later, and the other for Java Web Start in SDK and JRE 1.4.2_14 or later.
Sun noted that the Java Web Start flaws could allow an untrusted application to gain permissions to overwrite any file written by the user running the application. This could include, for example, the user's .java.policy file, allowing the application to invoke applets or Java Web Start applications. These would then be used to execute arbitrary code with the permissions of the user running the untrusted application, according to Sun's security advisory.
- prev
- 1
- next
