Oracle patches 41 security holes in its products
Oracle has published its Critical Patch Update (CPU) for April to close a total of 41 security holes in its products. The flaws are found in Oracle Database Server, Oracle Application Express, Oracle Application Server, the Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise. For the first time, the update also includes patches for Oracle Siebel CRM Applications.
15 of the flaws are found in Oracle's Database Server, including version 11g. One of the flaws in the database can be exploited remotely without authentication, though the security advisory does not say exactly what attackers can do. According to Alexander Kornbrust, a specialist for database security, the problem is a preset password in the database server: the system sometimes resets the password of user OUTLN to OUTLN and assigns that user DBA privileges. This flaw affects all databases except 10.2.0.4 and 11g.
This new batch of security vulnerabilities in the database makes Oracle's product look even worse statistically, compared to the competition. In an analysis some 14 months ago, internationally database security specialist David Litchfield of NGSSoftware concluded that Microsoft's SQL Server has far fewer vulnerabilities than Oracle databases. Jeff Jones, Microsoft's Security Strategy Director for the Trustworthy Computing Group, came to the same conclusion in a comparison of independent security advisories published by SecurityFocus, Secunia and the US National Vulnerability Database, in March.
Critics have argued that Jones compared apples and oranges when he counted the vulnerabilities found in Microsoft's operating system, Linux distributions, and the Mac OS, on the one hand, and in Internet Explorer and Firefox, on the other. But this time, the comparison seems to be a bit more objective because the count is only based on published security advisories and vendor patches.
- Oracle Critical Patch Update Advisory - April 2008, description of the update
- April 2008 Critical Patch Update Released , entry in the Oracle Global Product Security Blog
- SQL Server - Fact Checking Recent Vulnerability History, Jeff Jones' blog