Oracle Critical Patches for July 2008

Oracle has released their set of critical patches for July 2008. These fix multiple issues across several product lines. Potential impact against unpatched systems include remote system access (as root), privilege escalation, Denial of Service issues and information leakage. If you are running any of the following products you should visit Oracle’s advisory and begin the patching process.

Affected products:

    BEA WebLogic Express 7.x thru 10.x
    BEA WebLogic Server 6.x thru 10.x
    Oracle Application Server 10g
    Oracle Database 10.x and 11.x
    Oracle E-Business Suite 11i and 12.x
    Oracle Enterprise Manager 10.x
    Oracle Hyperion Business Intelligence Plus 9.x
    Oracle Hyperion Performance Suite 8.x
    Oracle PeopleSoft Enterprise Customer Relationship Management (CRM) 9.x
    Oracle PeopleSoft Enterprise Tools 8.x
    Oracle Times-Ten In-Memory Database 7.x
    Oracle9i Application Server
    Oracle9i Database Enterprise Edition and Database Standard Edition

Original Advisory:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Microsoft Patches Released for May

Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.

Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.

Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.

Quicktime PoC

Apple released an update to Quicktime yesterday, and attackers wasted no time coming up with a new exploit for it. Already in the public is a proof of concept exploit for Quicktime 7.3.1.70. It seems that Apple still hasn’t fixed the root cause of the RTSP vulnerability.

In other news, a survey over the past year on Oracle admins found that only 1 in 3 Oracle database admins bother to patch their databases. 68% of the admins admitted to never applying any patches at all. If that is true, it’s rather frightening.

Microsoft Patch Tuesday Information

MS08-001

Addresses vulnerabilities in the TCP/IP stack that could lead to the execution of arbitrary code or Denial of Service conditions. It is rated Critical. This bulletin replaces MS06-032. The Microsoft security bulletin can be found at:http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx

MS08-002

Addresses vulnerabilities in input validation errors in Local Security Authority Subsystem Service (LSASS) that could lead to execution of code or privilege escalation. The Microsoft security bulletin can be found at: http://www.microsoft.com/technet/security/Bulletin/MS08-002.mspx

Microsoft Security Advanced Bulletin

According to the latest Microsoft security advanced bulletin, January 8th will give us 1 new Critical and 1 new Important security updates. Both affect a large cross section of Windows Operating systems. Additionally a new version of the Microsoft Windows Malicious Software Removal Tool and 7 non-security updates will also be released. For full details see: http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx