November 21, 2024

Massive Oracle Security Update Lands on Microsoft Patch Tuesday

Posted on October 15, 2014 by in Security

Microsoft and Oracle customers will have their hands full applying a spate of security updates that were issued today.

Microsoft released eight security bulletins as part of Patch Tuesday, including critical updates for Internet Explorer, Windows and the .NET Framework. The bulletins address a total of 24 vulnerabilities, including a handful that is known to have already come under attack.

But the Microsoft release is dwarfed in size by the more than 150 security fixes issued today by Oracle. Within those patches are 31 fixes for the Oracle Database, several of which have a CVSS Base Score of 9.0.

“This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows),” explained Oracle Software Security Assurance Director Eric Maurice in a blog post. “When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.”

The Oracle update also provides fixes for 25 new Java SE vulnerabilities, the most severe of which has a CVSS Base Score of 10.0. Out of the 25, 20 affect client-only deployments of Java SE, and two of these are browser specific. Four vulnerabilities meanwhile affect client and server deployments of Java SE, while on affects client and server deployments of JSSE, Maurice noted.

The remaining vulnerabilities impact: Oracle Fusion Middleware; Oracle Enterprise Manager Grid Control; Oracle E-Business Suite; Oracle Supply Chain Product Suite; Oracle PeopleSoft Enterprise; Oracle JDEdwards EnterpriseOne; Oracle Communications Industry Suite; Oracle Retail Industry Suite; Oracle Health Sciences Industry Suite; Oracle Primavera; Oracle and Sun Systems Product Suite; Oracle Linux and Virtualization and Oracle MySQL.

In the case of Microsoft, customers will have their hands full with issues of their own. Three of the bulletins released today by Microsoft are rated ‘critical’ – MS14-056, MS14-057 and MS14-058.

MS14-056 is the biggest of the updates, and addresses 14 privately-reported issues in Internet Explorer. The most severe of these could allow remote code execution of a user views a specially-crafted webpage using Internet Explorer.

“This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead,” said Marc Maiffret, CTO of BeyondTrust. “Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.”

MS14-56, he said, should be prioritized first, with the remaining critical updates coming next. MS14-058 contains fixes for two issues in Windows that are already known to be under attack.

“The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts,” according to Microsoft. “In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.”

The final critical bulletin is MS14-057, which addresses vulnerabilities in the .NET Framework. According to Microsoft, the most severe of these could allow remote code execution if an attacker sends a specially-crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.

The remaining bulletins are rated ‘Important’ and cover issues in Microsoft Windows, Developer Tools and Microsoft Office.

Adobe Systems also released patches today to address issues in Adobe Flash Player.

“Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE [remote code execution] type vulnerabilities,” blogged Qualys CTO Wolfgang Kandek. “Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Oracle Issues Heartbleed Updates

Posted on April 22, 2014 by in Security

Oracle issued an advisory today listing both security updates and detailing what is known and unknown about the Heartbleed vulnerability’s impact on Oracle products.

“The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products,” Oracle noted in its advisory. “Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160.  In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-016.”

The products known to be vulnerable include and for which there are patches are: MySQL Connector/C 6.1.0-6.1.3; MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6 and 5.3.2; MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15 and 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17 and MySQL Workbench 6.1.4 and earlier. Other products known to be vulnerable that have patches available are: Oracle Big Data Appliance; Oracle Communications Interactive Session Recorder 4.0.0 and later; Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40 and 3.3.50; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software; and Solaris 11.2.

There are other products that are considered likely to be vulnerable but have no fixes, such as Java ME – JSRs and Optional Packages and Oracle Communications Session Delivery Management Suite NNC 7.3. Several other products, including Java CAPS 6.2 and Siebel CRM, are considered by Oracle to be potentially vulnerable but are still investigation. 

“Oracle’s Cloud security and development teams are aware of the publicly disclosed vulnerability in certain versions of OpenSSL (a.k.a. CVE-2014-0160; or ‘Heartbleed’),” according to the advisory. “Oracle is investigating the implications of this issue across the Oracle stack.”

“The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls,” Oracle noted. Oracle has assessed that the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) were not at risk from this vulnerability, due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160. Furthermore, Oracle has assessed our Cloud infrastructure using a number of automated and manual tests and continues to believe that it is not currently at risk from the CVE-2014-0160 vulnerability.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed