Oracle Delivers First Monthly Patch Rollup

By Lisa Vaas  |  Posted 2004-08-31 Print this article Print

The patch set addresses more than 30 long-known vulnerabilities, as well as 20-plus high-risk flaws recently uncovered by Application Security.

Oracle on Tuesday delivered its first-ever monthly rollup of security patches, addressing more than 30 vulnerabilities discovered by Next Generation Security Software Ltd. between January and February, and also tackling more than 20 vulnerabilities that has learned were recently discovered by Application Security Inc. Oracle Corp. issued notice of the patches late in the day, narrowly making its promised deadline of delivering the first rollup Aug. 31 after weeks of saying little about the security flaws. Click here to read more about the 30-plus vulnerabilities found at the beginning of the year.
The older patches cover a plethora of vulnerabilities, including the spectrum of NGSS-discovered flaws such as vulnerability to buffer overflow attacks and SQL injection techniques for gaining access to Oracle databases, as well as ASIs newfound flaws, four of which are deemed high risk.
Eric Gonzales, co-founder and director of marketing at New York-based ASI, told that one of the newly discovered flaws allows remote attackers to take advantage of a known, default user account and password. Other flaws allow the database to be exploited by a regular user, who can crash the database or escalate his or her privileges to administrator level. Oracle was silent about the security flaws for far too long, Database Center Editor Lisa Vaas writes. Click here to read more. For ASI to classify a vulnerability as high risk means that exploits can be almost as simple as opening a command line and establishing a connection to the database, Gonzales said. At the time this story went to press, ASI was planning to burn the midnight oil as it tests Oracles patches to determine their effectiveness running on various operating systems. And ASI continues to uncover more vulnerabilities, Gonzales said. "We discovered about 20 of these vulnerabilities, and its growing," he said. "Every vulnerability encompasses a ton of other vulnerabilities. Were trying to nail down what packages and functions they affect. Theyre all interrelated. Developers are coming over to me every other hour, telling me theres something new." Click here for more details on which products are affected by the patches. Oracle recommended prompt patching. "Providing customers with information and workarounds for security vulnerabilities is vital to protecting information systems," the company said in a statement. "To that end, Oracle is informing customers that potential security vulnerabilities have been discovered in Oracles Database and Application Server and Enterprise Manager products. Oracle recommends that customers apply patches for these potential vulnerabilities." For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. The sheer number of Oracle vulnerabilities found since January, added to the fact that Oracle has jumped on Microsoft Corp.s monthly patch release bandwagon, suggest that Oracle could be facing the same type of security headaches that have plagued its rival, Gonzales suggested. "Its been growing," he said. "If you look at what happened to Microsoft in the past, its in the beginning stages of whats probably going to be coming. Oracles already been forced to operationalize on a regular basis, just like Microsoft. They now have a security Web page. "Microsoft has an automatic way of developing bulletins. Theyre fairly open to security vulnerabilities and addressing them. Oracle will have to do the same thing. I think its the beginning of more to come. Its the first step in an evolution of how vendors should be managing this stuff." Click here to listen to an archived version of eWEEK.coms recent eSeminar on protecting customer data. ASI will issue an update of ASAP, its live-update package for its AppDetective network-based vulnerability-assessment tool, as soon as its completed testing of the patches and found that they do in fact remedy the vulnerabilities, Gonzales said. The security patches are available on Oracle Technology Network and on Oracles support site, Metalink. Check out eWEEK.coms Database Center at for the latest database news, reviews and analysis.

Be sure to add our database news feed to your RSS newsreader or My Yahoo page

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel