In its latest patch update, Oracle has fixed 36 vulnerabilities affecting a broad swath of its product line.
The Redwood Shores, Calif.-based software vendor on Tuesday said it patched 13 vulnerabilities in its database product, 11 bugs in the Oracle E-Business Suite and five bugs in the Oracle Application Server.
Oracle, which last October began scoring its vulnerabilities using the 10-point Common Vulnerability Scoring System, gave its highest threat rating -- a CVSS base score of 7.0 -- to an issue affecting the Core RDBMS component of the Oracle database.
However, the flaw only affects Oracle running on Windows XP with simple file sharing enabled, so it's not a problem for all Windows systems, David Litchfield, managing director of U.K.-based Next Generation Security Software, said in an e-mail interview.
Many of the flaws Oracle patched in this release are old issues, according to Litchfield, who said he reported the vulnerability to Oracle in 2002.
"This may indicate that Oracle is now in a position where they can 'clear the backlog,' indicating that most of the more important flaws have been found and patched," which suggests that future updates could be smaller, Litchfield wrote in a white paper on the new patch release.
None of Oracle's CVSS base scores for the other 35 vulnerabilities exceeded 4.2. The vendor also assigned CVSS scores of 0.0 to four database flaws, noting in an advisory that these "represent problems that are not exploitable in a default database environment."
Oracle also plans to alter the content of future patch updates for its server and middleware products to address the trend of customers not downloading certain platform and version combinations.
In the next patch release, scheduled for July 17, Oracle plans to only issue patches for these products if customers ask for them, as opposed to systematically creating patches.
"This change should not affect most customers, as we are only targeting inactive combinations," Eric Maurice, manager for security in Oracle's Global Technology Business Unit, wrote in a blog post.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
