Vulnerabilities / Threats
4/18/2011
11:02 AM
50%
50%

Oracle To Patch 73 Critical Vulnerabilities

Microsoft, Apple, and Adobe have all issued bug fixes recently, and now Oracle is patching Oracle Fusion Middleware, the Sun Products Suite, the Open Office Suite, and other products.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Oracle on Tuesday plans to fix 73 critical bugs, affecting hundreds of its products, as part of its next quarterly patch update.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," according to the company's pre-release patch announcement issued Friday. Many of the vulnerable components are in security software.

The most severe vulnerabilities involve Oracle Fusion Middleware, the Sun Products Suite, and the Open Office Suite. The Sun Products Suite will get 18 security fixes, seven of which can be remotely exploited without authentication. Affected components include Solaris, Sun Java System Access Manager Policy Agent, and OpenSSO Enterprise.

Fusion Middleware will see nine security fixes, six of which can be remotely exploitable without authentication. Affected components include Single Sign On, Oracle WebLogic Server, Oracle Security Service, and Oracle HTTP Server.

Open Office Suite will get eight fixes, seven of which can be exploited remotely. On a related note, on Friday, Oracle announced that it's dropping the commercial version of OpenOffice.org, turning it into a purely open source, community-driven project. "Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the OpenOffice.org project would be best managed by an organization focused on serving that broad constituency on a non-commercial basis," said Edward Screven, Oracle's chief corporate architect, in a statement.

On Tuesday, Oracle also will release patches for critical vulnerabilities in Database Server, E-Business Suite, Enterprise Manager Grid Control, Identity Management, JD Edwards, PeopleSoft, Siebel CRM, Supply Chain Products Suite, and WebLogic Server.

Also on the patch front, Adobe on Friday released a fix for a zero-day vulnerability in Adobe Flash Player that's being actively exploited by attackers via malicious websites and emails. According to Adobe, "there are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform."

Affected software versions include Adobe Flash Player version 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; version 10.2.154.25 and earlier for Chrome; and version 10.2.156.12 and earlier for Android. In addition, Adobe Air version 2.6.19120 and earlier--for Windows, Macintosh and Linux--got a patch.

Adobe said that by April 25, it will release patches for other software products affected by the vulnerability, which include Adobe Acrobat X for Windows and Macintosh, Reader X for Macintosh, and Adobe Reader 9.4.3 (and earlier 9.x versions) for Windows and Macintosh.

Also on Friday, Apple released several security updates: OS X Security Update 2011-002, Safari 5.0.5, and iOS 4.3.2 (or for Verizon, 4.2.7). Among other features, all contain hard-coded fixes for the bogus security certificates issued last month by Comodo.

Finally, the Oracle, Adobe, and Apple patches follow on the heels of last week's massive Patch Tuesday, in which Microsoft released 17 separate security bulletins detailing 64 software bugs.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.