Information Security News mailing list archives
Oracle CPU Contains Lowest Number Of Database Fixes Ever
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 20 Jan 2012 02:44:58 -0600 (CST)
http://www.darkreading.com/database-security/167901020/security/news/232500045/oracle-cpu-contains-lowest-number-of-database-fixes-ever.html By Ericka Chickowski Contributing Editor Dark Reading Jan 18, 2012Oracle's Tuesday release of its Critical Patch Update (CPU) garnered a continuation of criticism from the database security community, with researchers pointing to a mounting list of unfixed vulnerabilities that date back to 2009, even as Oracle's rate of releasing database patches continues to plummet. Not counting MySQL updates, which are primarily handled by the open-source community, only two out of the 78 fixes in yesterday's CPU were database-related, the lowest number released by Oracle since it started quarterly CPU releases.
"I am honestly shocked that they only fixed two database vulnerabilities," says Alex Rothacker, manager of Application Security Inc.'s research arm, TeamSHATTER.
According to Rothacker, his firm currently has nine vulnerabilities reported in Oracle's queue of discovered vulnerabilities. While that might not seem like a lot on its face, he says, one of them dates back to 2009 and five of them can result in privilege escalation. In addition, that's only the vulnerabilities discovered by AppSec researchers. Based on his conversations with those in the community, Oracle has been notified by other vendors and independent researchers about many other vulnerabilities, as well.
"There's definitely more stuff out there than just those nine," Rothacker says.
[...] _____________________________________________________ Did a friend send you this article? Make it your New Year's Resolution to subscribe to InfoSec News! http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- Oracle CPU Contains Lowest Number Of Database Fixes Ever InfoSec News (Jan 20)