Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/9/2009
08:42 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Microsoft's Light Patch Tuesday Offset By Oracle

While Microsoft is slated to issue one patch next week, Oracle announced it will release an eye-popping 41 security vulnerability fixes that touch hundreds of applications. Oh joy.

While Microsoft is slated to issue one patch next week, Oracle announced it will release an eye-popping 41 security vulnerability fixes that touch hundreds of applications. Oh joy.Not that Microsoft's patch will necessarily be a smooth spring drive. It's issuing a single security patch on Tuesday that will affect all versions of Windows: from Windows 2000 through Vista and Windows Server 2008. In older versions of Windows the flaw is ranked as critical by Microsoft, while in the more recent Vista and Server 2008 software it's moderate.

However, many operation teams and an awful lot of database admins will be focused not on the single OS patch shipping from Redmond on Tuesday, but the 41 patches that will be fired from Redwood Shores that same day:

This Critical Patch Update contains 41 security fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. Oracle Database software will be the recipient of 10 of the new vulnerabilities. Fortunately, none of these are remotely exploitable by parties unauthorized to the system.

This Critical Patch Update contains 10 new security vulnerability fixes for the Oracle Database. None of these vulnerabilities may be remotely exploited without authentication. Unfortunately, the same can't be said for the nine vulnerability patches slated for Oracle Secure Backup -- all these vulnerabilities may be remotely exploited without authentication

There are simply too many applications and vulnerabilities to look at individually here. But if I were an Oracle user, I'd take a hard look at this advisory and see what applications of mine are affected -- and get ready to patch.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17452
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
CVE-2020-17451
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
CVE-2020-17447
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
CVE-2020-16248
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.