Those of you hung over from patching Windows XP SP2 can't sleep in just yet. More than 40 vulnerabilities have been reported for Oracle's flagship software products. Holes in the Database Server and its Listener element can . . .
Those of you hung over from patching Windows XP SP2 can't sleep in just yet. More than 40 vulnerabilities have been reported for Oracle's flagship software products. Holes in the Database Server and its Listener element can be exploited even without a valid user account. The Portal and iSQL*Plus components of Oracle Application Server are similarly vulnerable. The holes in Oracle Enterprise Manager are less severe--they can be exploited only by those with a valid OS-level user account--but other Oracle products, such as the Collaboration and E-Business suites, require full patching.

Oracle rates the severity of many of these vulnerabilities as Level 1, its highest level. There are no work-arounds; Oracle recommends applying available patches immediately. (Please test your patches before sending them to production servers!) Go to www.oracle.com/ for details.

Oracle reportedly sat on both the vulnerabilities and patches before releasing them. In an interview after the Black Hat Briefings convention in July, David Litchfield, managing director of U.K. vendor Next-Generation Security Software, said he had notified Oracle of 34 vulnerabilities early in the year. Oracle fixed those holes a couple of months ago, he said, but then waited to release the fixes as it was transitioning to a monthly patch update cycle. Incidentally, this release cycle is now the same as Microsoft's.

The link for this article located at Mike Lee, Network Computing is no longer available.