Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database

    Oracle Issues Monster Security Update

    By
    Chris Preimesberger
    -
    October 18, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Oracle Corp. on Tuesday released its quarterly Critical Patch Update, closing 85 security vulnerabilities with 23 patches in its databases, servers and enterprise applications.

      Oracle describes “critical patch update” as “a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches.”

      Seven of the 23 patches involve aspects of the companys flagship database, Oracle 10g, including fixes for the main server itself, Grid Control, Application Server, Collaboration Suite and Database Control products.

      Patches are also included for the Oracle 9i and Oracle 8i database servers.

      PeopleSoft Enterprise Tools and PeopleSoft CRM also have new patches, as does JD Edwards EnterpriseOne/OneWorld XE.

      The Oracle Database Server, Enterprise Manager, Oracle Application Server and Oracle Collaboration Suite patches in the Updates are cumulative, the company said.

      Each successive Critical Patch Update contains the fixes from the previous updates.

      Oracle E-Business Suite/Applications patches are not cumulative, so E-Business Suite/Applications customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply, the company said.

      As a matter of policy, Oracle does not provide additional information about the specifics of vulnerabilities beyond what is provided in the quarterly notification, the Pre-Installation notes, the readme files and FAQs.

      Oracles quarterly patch releases are scheduled for January, April, July and October. They are released on the Tuesday closest to the 15th day of those months.

      The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracles attention: Brian Carr; Sacha Faust of S.P.I. Dynamics Inc.; Esteban Martínez Fayó of Application Security Inc.; Alexander Kornbrust of Red Database Security; Steven Kost of Integrigy Corp.; David Litchfield of NGSS Limited; and Noderat Ratty and Keigo Yamazaki of Little eArth Corp. Co., Ltd.

      In a recent posting to a bug-tracking mailing list, Litchfield, managing director of NGS Software and a vocal Oracle security critic, complained that Oracle historically has been very slow in responding to reported vulnerabilities—especially in its database servers.

      “Some of Oracles fixes simply attempt to stop the example exploits I sent them for reproduction purposes. In other words, the actual flaw was not addressed, and with a slight modification to the exploit, it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself,” he wrote.

      Litchfield said he had reported the broken fixes to Oracle in February this year.

      “It is now October 2005 … in all of this time, Oracle database servers have been easy to crack—a fact Oracle is surely aware of,” he wrote.

      Database break-ins are becoming more attractive to hackers because enterprises are putting more data into digital form and online, analysts say.

      “Absolutely—its like cracking the bank safe instead of mugging the customers as they walk out the door,” Gartner security analyst Rich Mogull told Ziff Davis Internet via e-mail. “While its harder, the payoff is bigger. Look at the CardSystems case as an example of a big DB theft (we think, not all the details are out).”

      /zimages/3/28571.gifClick here to read more about the CardSystems data breach.

      Website break-ins and DOS (denial-of-service) attacks often get a lot of media coverage, but not as much is heard about database break-ins, because “they are less public and it takes a higher caliber of attack,” Mogull said.

      “If someone defaces your Web site, you know right away. If they copy a database, you might never know.

      “Also, databases are usually better protected and less exposed to direct Internet attack, so the attacks themselves need to be more sophisticated. For example, we have SQL injection attacks where someone figures out how to embed SQL statements into an application (usually in a form field) and get results or make changes to the database in ways that should never happen. Its not nearly as easy as downloading the latest worm tool.”

      Mogull said that database security overall is “improving, but we still have a ways to go. Some of the problems are very hard to solve, such as better monitoring of [DBA] database administrator activity or better patch management.

      “I think were doing a moderate job and relying a little too much on databases historically being deeper within the enterprise. Some examples of really bad practices are static passwords stored in clear text in applications and batch jobs, shared administrative accounts, no controls on DBA activity, etc. We can definitely be doing better,” Mogull said.

      /zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Chris Preimesberger
      https://www.eweek.com/author/cpreimesberger/
      Chris J. Preimesberger is Editor Emeritus of eWEEK. In his 16 years and more than 5,000 articles at eWEEK, he distinguished himself in reporting and analysis of the business use of new-gen IT in a variety of sectors, including cloud computing, data center systems, storage, edge systems, security and others. In February 2017 and September 2018, Chris was named among the 250 most influential business journalists in the world (https://richtopia.com/inspirational-people/top-250-business-journalists/) by Richtopia, a UK research firm that used analytics to compile the ranking. He has won several national and regional awards for his work, including a 2011 Folio Award for a profile (https://www.eweek.com/cloud/marc-benioff-trend-seer-and-business-socialist/) of Salesforce founder/CEO Marc Benioff--the only time he has entered the competition. Previously, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. He has been a stringer for the Associated Press since 1983 and resides in Silicon Valley.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×