By Joris Evers
Staff Writer, CNET News.com
October 17, 2006
As part of its quarterly patch cycle, Oracle released fixes on Tuesday
for 101 security vulnerabilities across its products.
The Critical Patch Update includes remedies for 63 flaws related to
Oracle's widely-used database products. There are also patches for 14
vulnerabilities in Application Server, 13 related to E-Business Suite, 8
in PeopleSoft products, and one each in Oracle Pharmaceuticals and JD
"In terms of critical fixes, the majority of them lie within the
application server product," said Darius Wiles, the senior manager for
security alerts at Oracle. "There is a number that could be exploited
both remotely and without authentication, and those are the ones that
customers should be most concerned about and fix as soon as possible."
Oracle's October security update is the first of its quarterly bulletins
to contain severity ratings. Also, the alert now more clearly denotes
which flaws could be exploited remotely by anonymous attackers, the most
serious type of vulnerability.
Many of the issues are significant. Thirty of the Oracle Database
related flaws open systems up to unauthenticated, remote attacks,
according to the alert. For Application Server, 13 flaws carry that
risk, as does one in E-Business Suite and one in PeopleSoft products.
Of all the database-related flaws, 35 are in Oracle Application Express,
and 25 of those carry the most serious risk. Application Express is an
optional installation and isn't used by many Oracle customers, Wiles
said. Application Server is more widely used and as such, more systems
are at risk of flaws associated with that product, he noted.
"There is a lot of fixes this timethey seem to be getting on top of the
bug fixing," Pete Finnigan, a security specialist in York, England,
wrote on his blog Tuesday. "I am impressed by the new style advisory;
it's not perfect, it is much better than it was."
Oracle's next patch day is Jan. 16.
Copyright 1995-2006 CNET Networks, Inc. All rights reserved.
Visit the InfoSec News store!