Oracle Fixes 82 Database, Server Flaws
The Critical Patch Update fixes 37 flaws in Oracle's Database, 17 in its Application Server, 20 in the Collaboration Suite, 27 in E-Business Suite, and one each in the PeopleSoft Enterprise Portal and JD Edwards HTML Server.
While the number may seem staggering to those not used to Oracle's quarterly security updates -- Windows users, for instance, go into shock when Microsoft releases more than a dozen fixes in a given month -- January's batch is actually smaller than the October 2005 bunch. Then, Oracle patched 106 different bugs.
Many of this quarter's fixed vulnerabilities were tagged by Oracle with its highest risk ratings -- unlike other vendors such as Microsoft, Oracle breaks out risk rankings into numerous sub-categories -- with notes that they're easy to exploit and have a potentially wide range of impact. Among the bugs are many which can be exploited remotely, and 61 which can be used by anonymous (non-authenticated) users.
Responding to the patch, Cupertino, Calif.-based Symantec raised its ThreatCon level to "2" late Tuesday. ThreatCon, a 1 through 4 ranking Symantec uses to note the overall security status of the Web, was bumped, said Symantec, because of the Oracle release.
"Although Oracle has not released technical details regarding these issues to the public, technical information regarding several of the vulnerabilities has already been posted to public mailing lists," noted a Symantec warning to users of its DeepSight Threat Management System. "This additional information may reduce that amount of time that an attacker will require to isolate and exploit these vulnerabilities."
Oracle has a standing policy of releasing only the barest amount of information on the specific vulnerabilities in its quarterly security updates, a practice that's come under fire for quite some time. In late 2004, for instance, Gartner analysts recommended that Oracle customers pressure the company to "follow Microsoft and other leaders that disclose the details of their vulnerabilities.” With the multiple products affected, the number of flaws covered, and the scant details, it was no surprise that many security organizations had a hard time getting a grip on the update's seriousness.
Even though it raised its ThreatCon to "2" -- a normal practice when any major vendor releases fixes for its software -- Symantec could only conclude that "several of these vulnerabilities are significant, and should be patched as soon as possible."
Danish vulnerability tracker Secunia, meanwhile, listed the collection as "Moderately critical," but has to go with "Unknown" as its take on the update's overall impact.
Security professionals generally expected that hackers would soon turn attention to the vulnerabilities, patched or not. "This looks very large," said Alfred Huger, senior director of engineering for Symantec's security response team. "Exploits occur against Oracle," he added, even though such attacks rarely get much press. "Databases are far too rich a target to ignore," Huger said. "A lot of these attacks go on behind the curtain, so to speak."
“Information about Oracle exploits is becoming more and more easy to attain – including recent data about Oracle worms," added Ron Ben-Natan, the chief technology officer of database security company Guardium, in an e-mail to TechWeb. "Even the information in the [update] can be a spring-board for hackers looking for a way in."
"Oracle is getting more attention," agreed Huger. "There are some really sharp people credited with finding some of these vulnerabilities."
Among those acknowledged by Oracle were Joxean Koret and Alexander Kornbrust of Red Database Security GmbH, and David Litchfield of Next Generation Security Software.
"This is a good thing," Huger argued, noting that the more researchers sniff for vulnerabilities, the more secure software becomes.
“Identity thieves search for the weakest link in database security in their ongoing attempts to steal personal information – often using one small vulnerability to compromise multiple subsystems within the database engine," concluded Ben-Natan. "These patches are essential for staying protected.”