Oracle Readies 16 Highly Critical Security Patches

The Redwood City, Calif.-based company is scheduled to release 78 vulnerability fixes Jan. 17. The patch breakdown by product from the company's pre-release announcement Friday includes 27 for MySQL, 11 for Fusion Middleware, three for E-Business Suite, 17 for products branded under Sun Microsystems, which Oracle bought in 2009; three for Oracle Virtualization, six for the PeopleSoft product line, eight for the JD Edwards line, two for the Oracle database server and one for the Oracle Supply Chain Product Suite.

Six dozen patches may seem like a lot, but Wolfgang Kandek, chief technology officer for security vendor Qualys, described the number as "pretty normal" for Oracle, given the company's extensive product portfolio.

While the quantity is not unusual, the patches should be taken seriously, Kandek said. The industry tends to be more focused on Microsoft's monthly patch release, because of the impact on the Windows PC, which is used by more people. Oracle's products are typically in the data center and less visible. "They are probably as critical as Microsoft programs for many companies," Kandek said.

The 16 highly critical fixes are for "remotely exploitable" vulnerabilities, which means an attacker could gain access to a system without having credentials, such as an administrative password. "That is actually the most critical vulnerability that I can think of," Kandek said. Companies should place Internet-facing systems, such as Oracle Web application servers, high on the list of systems to update.