[ISN] Oracle fixes pile of bugs
isn at c4i.org
Wed Jan 18 04:06:44 EST 2006
By Joris Evers
Staff Writer, CNET News.com
January 17, 2006
As part of its quarterly patch cycle, Oracle released on Tuesday fixes
for a long list of security vulnerabilities in many of its products.
The "Critical Patch Update" delivers remedies for 37 flaws related to
Oracle's Database products, 17 related to Application Server, 20 to
the Collaboration Suite, 27 to E-Business Suite and Applications, one
to PeopleSoft's Enterprise Portal and one in JD Edwards software.
Some of the flaws carry Oracle's most serious rating, which means
they're easy to exploit and an attack can have a wide impact,
according to the alert. "Several of these vulnerabilities are
significant, and should be patched as soon as possible," security
provider Symantec said in an alert to users of its DeepSight
While there are a lot of fixes, the vulnerabilities are clearly
marked, which could make them easier to deal with, Pete Finnigan, a
security specialist in York, England, wrote on his blog. "This seems
like a good mixed bag of fixes, quite a lot in total," he said. "This
time it seems possible to isolate the areas affected in more cases due
to the more explicit naming of some packages, programs and commands."
In addition to the security fixes, Oracle also released a tool to
check for default accounts and passwords. It's meant to help
businesses defend their systems against the "Oracle voyager" database
worm, which takes advantage of those default items.
In response to the Oracle patch release, Symantec raised its ThreatCon
global threat index to Level 2, which means an outbreak is expected.
It typically does that after a patch release because malicious hackers
might use the fixes as a blueprint for attacks.
Oracle has been criticized for being slow to fix security flaws and
being unresponsive to researchers who find bugs. Oracle's chief
security officer, Mary Ann Davidson, has responded in turn by saying
bug hunters themselves can be a problem when it comes to product
security. The company recently said it was adding more automation to
its bug-checking process.
Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.
More information about the ISN