Oracle has released their set of critical patches for July 2008. These fix multiple issues across several product lines. Potential impact against unpatched systems include remote system access (as root), privilege escalation, Denial of Service issues and information leakage. If you are running any of the following products you should visit Oracle’s advisory and begin the patching process.
BEA WebLogic Express 7.x thru 10.x
BEA WebLogic Server 6.x thru 10.x
Oracle Application Server 10g
Oracle Database 10.x and 11.x
Oracle E-Business Suite 11i and 12.x
Oracle Enterprise Manager 10.x
Oracle Hyperion Business Intelligence Plus 9.x
Oracle Hyperion Performance Suite 8.x
Oracle PeopleSoft Enterprise Customer Relationship Management (CRM) 9.x
Oracle PeopleSoft Enterprise Tools 8.x
Oracle Times-Ten In-Memory Database 7.x
Oracle9i Application Server
Oracle9i Database Enterprise Edition and Database Standard Edition
Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.
Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.
Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.
Apple released an update to Quicktime yesterday, and attackers wasted no time coming up with a new exploit for it. Already in the public is a proof of concept exploit for Quicktime 126.96.36.199. It seems that Apple still hasn’t fixed the root cause of the RTSP vulnerability.
In other news, a survey over the past year on Oracle admins found that only 1 in 3 Oracle database admins bother to patch their databases. 68% of the admins admitted to never applying any patches at all. If that is true, it’s rather frightening.
Addresses vulnerabilities in the TCP/IP stack that could lead to the execution of arbitrary code or Denial of Service conditions. It is rated Critical. This bulletin replaces MS06-032. The Microsoft security bulletin can be found at:http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx
Addresses vulnerabilities in input validation errors in Local Security Authority Subsystem Service (LSASS) that could lead to execution of code or privilege escalation. The Microsoft security bulletin can be found at: http://www.microsoft.com/technet/security/Bulletin/MS08-002.mspx
According to the latest Microsoft security advanced bulletin, January 8th will give us 1 new Critical and 1 new Important security updates. Both affect a large cross section of Windows Operating systems. Additionally a new version of the Microsoft Windows Malicious Software Removal Tool and 7 non-security updates will also be released. For full details see: http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx