Oracle on Tuesday delivered its first-ever monthly rollup of security patches, addressing more than 30 vulnerabilities discovered by Next Generation Security Software Ltd. between January and February, and also tackling more than 20 vulnerabilities that eWEEK.com has learned were recently discovered by Application Security Inc.
Oracle Corp. issued notice of the patches late in the day, narrowly making its promised deadline of delivering the first rollup Aug. 31 after weeks of saying little about the security flaws.
The older patches cover a plethora of vulnerabilities, including the spectrum of NGSS-discovered flaws such as vulnerability to buffer overflow attacks and SQL injection techniques for gaining access to Oracle databases, as well as ASIs newfound flaws, four of which are deemed high risk.
Eric Gonzales, co-founder and director of marketing at New York-based ASI, told eWEEK.com that one of the newly discovered flaws allows remote attackers to take advantage of a known, default user account and password. Other flaws allow the database to be exploited by a regular user, who can crash the database or escalate his or her privileges to administrator level.
For ASI to classify a vulnerability as high risk means that exploits can be almost as simple as opening a command line and establishing a connection to the database, Gonzales said.
At the time this story went to press, ASI was planning to burn the midnight oil as it tests Oracles patches to determine their effectiveness running on various operating systems.
And ASI continues to uncover more vulnerabilities, Gonzales said. “We discovered about 20 of these vulnerabilities, and its growing,” he said. “Every vulnerability encompasses a ton of other vulnerabilities. Were trying to nail down what packages and functions they affect. Theyre all interrelated. Developers are coming over to me every other hour, telling me theres something new.”
Oracle recommended prompt patching. “Providing customers with information and workarounds for security vulnerabilities is vital to protecting information systems,” the company said in a statement.
“To that end, Oracle is informing customers that potential security vulnerabilities have been discovered in Oracles Database and Application Server and Enterprise Manager products. Oracle recommends that customers apply patches for these potential vulnerabilities.”
The sheer number of Oracle vulnerabilities found since January, added to the fact that Oracle has jumped on Microsoft Corp.s monthly patch release bandwagon, suggest that Oracle could be facing the same type of security headaches that have plagued its rival, Gonzales suggested.
“Its been growing,” he said. “If you look at what happened to Microsoft in the past, its in the beginning stages of whats probably going to be coming. Oracles already been forced to operationalize on a regular basis, just like Microsoft. They now have a security Web page.
“Microsoft has an automatic way of developing bulletins. Theyre fairly open to security vulnerabilities and addressing them. Oracle will have to do the same thing. I think its the beginning of more to come. Its the first step in an evolution of how vendors should be managing this stuff.”
ASI will issue an update of ASAP, its live-update package for its AppDetective network-based vulnerability-assessment tool, as soon as its completed testing of the patches and found that they do in fact remedy the vulnerabilities, Gonzales said.