By Joris Evers
Staff Writer, CNET News.com
April 18, 2006
As part of its quarterly patch cycle, Oracle on Tuesday released fixes
for a long list of security vulnerabilities in many of its products.
The Critical Patch Update delivers remedies for 14 flaws related to
Oracle's Database products, five related to the Collaboration Suite,
one in Application Server, 15 related to E-Business Suite and
Applications, two in the Enterprise Manager, one in PeopleSoft's
Enterprise portal and one in JD Edwards software.
In addition to the security fixes, Oracle said it has made
"significant" changes to an existing tool that checks for default
accounts and passwords. The tool was released in January as a response
to the "Oracle voyager" database worm, which exploits those default
The business software maker has come under fire for being slow to
patch security holes and for not collaborating well with researchers
who find bugs. Oracle's chief security officer, Mary Ann Davidson, has
responded in turn by saying bug hunters themselves can be a problem
when it comes to product security.
In its patch bulletin, the company credited a number of researchers
with reporting vulnerabilities. These include Alexander Kornbrust of
Red Database Security, Esteban Martinez Fayo of Application Security
and David Litchfield of Next Generation Security Software, who claimed
discovery of Oracle Database flaws in a posting to the Full Disclosure
InfoSec News v2.0 - Coming Soon!