Oracle today released fixes for 36 vulnerabilities, marking one of the smallest patch updates since the database giant began issuing quarterly distributions more than two years ago.The update included 13 patches for the popular Oracle Database, with the most severe vulnerability rating a seven out of 10. Three of the database flaws – the most serious ones – may be remotely exploitable without user authentication.
Amichai Shulman, chief technology officer of Israel-based database security provider Imperva, told SCMagazine.com today that the most severe database bug is easy to exploit and can result in the disclosure of confidential information — but it allows an attacker only partial system control. Also, it affects only Windows platforms.
Another five fixes were released for the Oracle Application Server and 11 for the E-Business Suite. Patches also were delivered for the Collaboration Suite, Enterprise Manager and PeopleSoft and JD Edwards business applications.
Shulman said Oracle distributed only six patches for stored procedure vulnerabilities, which could lead to SQL server injections or buffer overflows.
"If this trend continues, this is definitely a good sign," he said. "It means…they’re managing the code."
Despite the diminished number of patches released — Oracle issued 101 fixes in October — the database giant must make a continued effort of building security in, said Marv Goldschmitt, vice president of business development at Maynard, Mass.-based Tizor Systems.
He told SCMagazine.com that database vendors are responsible for producing products used to protect customer information in the same way bank vaults are used to safeguard physical assets.
"If you have a vulnerable product, you’re going to have more situations like TJX," Goldschmitt said, referring to the Massachusetts-based discount retailer whose systems were hacked to the tune of 50 million customer records. It is not known whether TJX deployed Oracle hardware and software.
Meanwhile, Eric Maurice, manager of security in Oracle’s global technology business unit, noted on the company’s security blog this afternoon that this marks the 10th quarterly critical patch update (CPU).
"The predictability provided by the [CPU] mechanism is very important to Oracle customers," he said today. "It results in enabling customers to plan for the CPUs and install them in their normal maintenance windows, to avoid undue interruptions in their business-critical systems."
Maurice added: "Just as we continue to implement ways to improve our coding practices to minimize the impact of security flaws in our software, we continue to search for ways to enhance the CPU process to reduce the impact of Oracles’ issuance of security fixes with customers."
In October, Oracle launched a Common Vulnerability Scoring System (CVSS) to rate bugs, identify those flaws that are critical and remotely exploitable, and include a "high-level" overview of each defect and fix — again similar to Microsoft's approach.
Shulman said enterprises should first assess their systems before patching. He added that it makes sense to already have deployed an additional security layer to sit in front of the database server, such as an intrusion prevention system.
"These solutions are usually quickly up-to-date with signatures for the vulnerabilities," he said. "And then plan your patching because patching takes time and planning."