Vulnerabilities / Threats
4/18/2011
11:02 AM
50%
50%

Oracle To Patch 73 Critical Vulnerabilities

Microsoft, Apple, and Adobe have all issued bug fixes recently, and now Oracle is patching Oracle Fusion Middleware, the Sun Products Suite, the Open Office Suite, and other products.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Oracle on Tuesday plans to fix 73 critical bugs, affecting hundreds of its products, as part of its next quarterly patch update.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," according to the company's pre-release patch announcement issued Friday. Many of the vulnerable components are in security software.

The most severe vulnerabilities involve Oracle Fusion Middleware, the Sun Products Suite, and the Open Office Suite. The Sun Products Suite will get 18 security fixes, seven of which can be remotely exploited without authentication. Affected components include Solaris, Sun Java System Access Manager Policy Agent, and OpenSSO Enterprise.

Fusion Middleware will see nine security fixes, six of which can be remotely exploitable without authentication. Affected components include Single Sign On, Oracle WebLogic Server, Oracle Security Service, and Oracle HTTP Server.

Open Office Suite will get eight fixes, seven of which can be exploited remotely. On a related note, on Friday, Oracle announced that it's dropping the commercial version of OpenOffice.org, turning it into a purely open source, community-driven project. "Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the OpenOffice.org project would be best managed by an organization focused on serving that broad constituency on a non-commercial basis," said Edward Screven, Oracle's chief corporate architect, in a statement.

On Tuesday, Oracle also will release patches for critical vulnerabilities in Database Server, E-Business Suite, Enterprise Manager Grid Control, Identity Management, JD Edwards, PeopleSoft, Siebel CRM, Supply Chain Products Suite, and WebLogic Server.

Also on the patch front, Adobe on Friday released a fix for a zero-day vulnerability in Adobe Flash Player that's being actively exploited by attackers via malicious websites and emails. According to Adobe, "there are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform."

Affected software versions include Adobe Flash Player version 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; version 10.2.154.25 and earlier for Chrome; and version 10.2.156.12 and earlier for Android. In addition, Adobe Air version 2.6.19120 and earlier--for Windows, Macintosh and Linux--got a patch.

Adobe said that by April 25, it will release patches for other software products affected by the vulnerability, which include Adobe Acrobat X for Windows and Macintosh, Reader X for Macintosh, and Adobe Reader 9.4.3 (and earlier 9.x versions) for Windows and Macintosh.

Also on Friday, Apple released several security updates: OS X Security Update 2011-002, Safari 5.0.5, and iOS 4.3.2 (or for Verizon, 4.2.7). Among other features, all contain hard-coded fixes for the bogus security certificates issued last month by Comodo.

Finally, the Oracle, Adobe, and Apple patches follow on the heels of last week's massive Patch Tuesday, in which Microsoft released 17 separate security bulletins detailing 64 software bugs.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?