Researcher: Oracle Patch Set Flawed Again

By Lisa Vaas  |  Posted 2005-10-20 Print this article Print

A security researcher has reported that Oracle's most recent quarterly cumulative patch update leaves some flaws exploitable.

A security researcher has reported that Oracles most recent quarterly cumulative patch update, released on Tuesday, leaves some flaws exploitable. David Litchfield, a security research with Next Generation Security Software Ltd., was in the process of auditing the CPU when this story was posted. Litchfield on Wednesday evening posted to BugTraq a message saying that the patch is still lacking.
"Having downloaded and given the Oracle October patch a cursory examination, some of the flaws Oracle told me were being fixed, remain exploitable," he wrote. "Once again the patch is not sufficient. I will conduct a full investigation of the patch over the coming few days and post some recommendations once complete."
The October CPU, a set of 23 patches, is intended to close 85 security vulnerabilities in Oracle databases, servers and enterprise applications. Seven of the 23 patches involve aspects of the companys flagship database, Oracle 10g, including fixes for the main server itself, Grid Control, Application Server, Collaboration Suite and Database Control products. Patches are also included for the Oracle 9i and Oracle 8i database servers. PeopleSoft Enterprise Tools and PeopleSoft CRM also have new patches, as does JD Edwards EnterpriseOne/OneWorld XE. Litchfield and other security researchers have taken Oracle to task repeatedly over the past few years regarding vulnerabilities remaining unpatched for long periods of time, as well as regarding patches that dont fix what theyre supposed to. Oracle in July admitted that both its April and June CPUs were flawed. Litchfield has found that 76 percent of surveyed database servers have anomalies between expected and actual patch levels. Click here to read more. Oracle Chief Security Officer Mary Ann Davidson went on the defense shortly thereafter, penning an article dismissing the motives of security researchers who point out vulnerabilities—a rare moment for Oracle, which usually keeps security details close to the vest and doesnt often stoop to answer criticism on matters of security. The company did not respond to a request for comment on the most recent allegations of flawed patch sets. Oracle customers, for their part, are generally nonplussed by the news that patch sets arent perfect. "Any DBA worth her salt has identified and resolved these issues," one reader wrote in feedback to an earlier article about Oracles security woes. "In the real world of software administration people do not expect everything to work as prescribed all the time. ... This is part of the reason why good IT people are [paid] so much." Indeed, users tend to report having their Oracle databases locked down tight, saying that they dont find the bugs as troublesome in reality as they are in headlines. However, not all are so sanguine. Litchfield has told that he has plenty of clients who use Oracle and run databases that are exposed to the Internet. In particular, he has cited universities databases as being more exposed and thereby more susceptible to vulnerabilities than the general population of Oracle users tend to be. Check out eWEEK.coms for the latest database news, reviews and analysis.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel