Oracle Issues Monster Security Update

Seven of the 23 patches involve aspects of the company's flagship database, Oracle 10g, including fixes for the main server itself, Grid Control, Application Server, Collaboration Suite and Database Control products.

Oracle Corp. on Tuesday released its quarterly Critical Patch Update, closing 85 security vulnerabilities with 23 patches in its databases, servers and enterprise applications.

Oracle describes "critical patch update" as "a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches."

Seven of the 23 patches involve aspects of the companys flagship database, Oracle 10g, including fixes for the main server itself, Grid Control, Application Server, Collaboration Suite and Database Control products.

Patches are also included for the Oracle 9i and Oracle 8i database servers.

PeopleSoft Enterprise Tools and PeopleSoft CRM also have new patches, as does JD Edwards EnterpriseOne/OneWorld XE.

The Oracle Database Server, Enterprise Manager, Oracle Application Server and Oracle Collaboration Suite patches in the Updates are cumulative, the company said.

Each successive Critical Patch Update contains the fixes from the previous updates.

Oracle E-Business Suite/Applications patches are not cumulative, so E-Business Suite/Applications customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply, the company said.

As a matter of policy, Oracle does not provide additional information about the specifics of vulnerabilities beyond what is provided in the quarterly notification, the Pre-Installation notes, the readme files and FAQs.

Oracles quarterly patch releases are scheduled for January, April, July and October. They are released on the Tuesday closest to the 15th day of those months.

The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracles attention: Brian Carr; Sacha Faust of S.P.I. Dynamics Inc.; Esteban Martínez Fayó of Application Security Inc.; Alexander Kornbrust of Red Database Security; Steven Kost of Integrigy Corp.; David Litchfield of NGSS Limited; and Noderat Ratty and Keigo Yamazaki of Little eArth Corp. Co., Ltd.

In a recent posting to a bug-tracking mailing list, Litchfield, managing director of NGS Software and a vocal Oracle security critic, complained that Oracle historically has been very slow in responding to reported vulnerabilities—especially in its database servers.

"Some of Oracles fixes simply attempt to stop the example exploits I sent them for reproduction purposes. In other words, the actual flaw was not addressed, and with a slight modification to the exploit, it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself," he wrote.

Litchfield said he had reported the broken fixes to Oracle in February this year.

"It is now October 2005 ... in all of this time, Oracle database servers have been easy to crack—a fact Oracle is surely aware of," he wrote.

Database break-ins are becoming more attractive to hackers because enterprises are putting more data into digital form and online, analysts say.

"Absolutely—its like cracking the bank safe instead of mugging the customers as they walk out the door," Gartner security analyst Rich Mogull told Ziff Davis Internet via e-mail. "While its harder, the payoff is bigger. Look at the CardSystems case as an example of a big DB theft (we think, not all the details are out)."

/zimages/3/28571.gifClick here to read more about the CardSystems data breach.

Website break-ins and DOS (denial-of-service) attacks often get a lot of media coverage, but not as much is heard about database break-ins, because "they are less public and it takes a higher caliber of attack," Mogull said.

"If someone defaces your Web site, you know right away. If they copy a database, you might never know.

"Also, databases are usually better protected and less exposed to direct Internet attack, so the attacks themselves need to be more sophisticated. For example, we have SQL injection attacks where someone figures out how to embed SQL statements into an application (usually in a form field) and get results or make changes to the database in ways that should never happen. Its not nearly as easy as downloading the latest worm tool."

Mogull said that database security overall is "improving, but we still have a ways to go. Some of the problems are very hard to solve, such as better monitoring of [DBA] database administrator activity or better patch management.

"I think were doing a moderate job and relying a little too much on databases historically being deeper within the enterprise. Some examples of really bad practices are static passwords stored in clear text in applications and batch jobs, shared administrative accounts, no controls on DBA activity, etc. We can definitely be doing better," Mogull said.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...