Oracle released another massive patch update today which fixed 253 security flaws across hundreds of Oracle products. This year we have seen the updates getting bigger as compared to an average of 161 vulnerabilities 2015 and 128 vulnerabilities in 2014. Many components fixed in today’s release are remotely exploitable. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories. Other than the exception of Java there are no consumer products and administrators should focus on their individual patching domains.
Oracle has published their Critical Patch Update (CPU) for January 2016. The Oracle CPU is quarterly and addresses the flaws in large Oracle’s product line, including their core product the relational database, but also in a large number of acquisitions like Solaris, MySQL, Java and many of the end-user products, such as JDEdwards ERP, Peoplesoft and CRM.
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) is responsible for IT security within the German Federal government. In addition they work on IT security standards for Germany and are moving into a national incident tracking function as well. In December 2014 they published their yearly report summarizing the IT security state in Germany as "critical", with attacks rising, German companies leaking data and exposing their infrastructure to even physical damage. Much of it is due to a 'Digitale Sorglosigkeit', a digital carelessness where the IT industry does not pay attention to avoidable threats.
In the third patch release of the day, after Adobe and Microsoft, Oracle publishes code fixes for 154 distinct vulnerabilities across a large number of product families. Many of the vulnerabilities addressed are of critical nature, allowing the attacker to achieve remote code execution. Due to the large number of patches a precise inventory will be crucial to be able to decide where to patch first.
Oracle released its Critical Patch Update (CPU) for July 2014 with 115 patch updates to a variety of Oracle products. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on – workstation or server.
Oracle just released their announcement of the July Critical Patch Update (CPU). Oracle bundles the security updates for the majority of the products it controls into a quarterly update – something of a Super Tuesday of computer security. This time we are getting 115 fixes for vulnerabilities over 30 different product groups with even more individual software versions affected.
July’s Advance Notice by Microsoft has just arrived. This month, Microsoft is publishing six bulletins in July, affecting all versions of Internet Explorer, Windows and one server components. Two bulletins are rated “critical,”, as they allow for Remote Code Execution (RCE), three are rated “important” as they allow for elevation of privilege inside on Windows.
The most critical patch to consider is Bulletin 1 is for all versions of Internet Explorer (IE), all the way from Internet Explorer 6, but only supported on Windows Server 2003 since XP has been retired, to the newest IE 11 on Windows 8.1 and R. This patch should be top of your list, since most attacks involve your web browser in some way. Take a look at the most recent numbers in Microsoft SIR report v16, which illustrate clearly that web- based attacks, which include Java and Adobe Flash are the most common.
Bulletin 2 is a critical update for Windows and all desktop versions of Vista, WIndows 7, 8 and RT are affected. On the server side all but the the oldest Windows server 2003 are affected. The update will require a reboot, which is something to include in your planning, especially on the server side.
Bulletin 3, 4, and 5 are all elevation of privilege vulnerabilities in Windows. They are affect all versions of Windows. They are local vulnerabilities, i.e they cannot be used to achieve code execution remotely through the network, but require that the attacker already haves a presence on the targeted machine as a normal or standard user. Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers gets an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.
Lastly, Bulletin 6 is a Denial of Service vulnerability in the Service Bus for Windows. The Service Bus is a newer component of Windows in use in the Windows Azure environment for the development of loosely coupled applications. In our estimate few companies will have installed that component and on Azure, Microsoft will take of the patching for you.
Later Also this month Oracle is publishing their Critical Patch Update (CPU) July 2014. It is expected to come out on July 15 and typically contains fixes for hundreds of vulnerabilities. How applicable the patches are for your organization depends on your software inventory, but at least the update for Java will be important for most organizations.
Please stay tuned to this blog for next week’s release and further updates from Oracle.