10 Massive Security Breaches

Oracle on Tuesday plans to fix 73 critical bugs, affecting hundreds of its products, as part of its next quarterly patch update.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," according to the company's pre-release patch announcement issued Friday. Many of the vulnerable components are in security software.

The most severe vulnerabilities involve Oracle Fusion Middleware, the Sun Products Suite, and the Open Office Suite. The Sun Products Suite will get 18 security fixes, seven of which can be remotely exploited without authentication. Affected components include Solaris, Sun Java System Access Manager Policy Agent, and OpenSSO Enterprise.

Fusion Middleware will see nine security fixes, six of which can be remotely exploitable without authentication. Affected components include Single Sign On, Oracle WebLogic Server, Oracle Security Service, and Oracle HTTP Server.

Open Office Suite will get eight fixes, seven of which can be exploited remotely. On a related note, on Friday, Oracle announced that it's dropping the commercial version of OpenOffice.org, turning it into a purely open source, community-driven project. "Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the OpenOffice.org project would be best managed by an organization focused on serving that broad constituency on a non-commercial basis," said Edward Screven, Oracle's chief corporate architect, in a statement.

On Tuesday, Oracle also will release patches for critical vulnerabilities in Database Server, E-Business Suite, Enterprise Manager Grid Control, Identity Management, JD Edwards, PeopleSoft, Siebel CRM, Supply Chain Products Suite, and WebLogic Server.

Also on the patch front, Adobe on Friday released a fix for a zero-day vulnerability in Adobe Flash Player that's being actively exploited by attackers via malicious websites and emails. According to Adobe, "there are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform."

Affected software versions include Adobe Flash Player version 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; version 10.2.154.25 and earlier for Chrome; and version 10.2.156.12 and earlier for Android. In addition, Adobe Air version 2.6.19120 and earlier--for Windows, Macintosh and Linux--got a patch.

Adobe said that by April 25, it will release patches for other software products affected by the vulnerability, which include Adobe Acrobat X for Windows and Macintosh, Reader X for Macintosh, and Adobe Reader 9.4.3 (and earlier 9.x versions) for Windows and Macintosh.

Also on Friday, Apple released several security updates: OS X Security Update 2011-002, Safari 5.0.5, and iOS 4.3.2 (or for Verizon, 4.2.7). Among other features, all contain hard-coded fixes for the bogus security certificates issued last month by Comodo.

Finally, the Oracle, Adobe, and Apple patches follow on the heels of last week's massive Patch Tuesday, in which Microsoft released 17 separate security bulletins detailing 64 software bugs.