Oracle last month released a bunch of patches — 36 to be exact — for security problems dating all the way back to 2002. But according to David Litchfield of NGS Software, there are 39 more issues, many of which are high risk, that still need to be addressed.
In a white paper on NGS’s Web site, Litchfield wrote:
“This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. Many of the flaws being patched are old issues. For example, DB01 relates to an issue first reported to Oracle in 2002 and another in June 2004. This may indicate that Oracle are now in a position where they can “clear the backlog” indicating that most of the more important flaws have been found and patched. If this is correct then we should see smaller patches being released in future CPUs.”
A blogger on IT Security had this to say:
“Last Fall, Oracle began assigning risk ratings to its vulnerabilities. Those reported by Lichtfield and his colleagues rate no higher than 4.2 on a scale based at 7.0. Four of the flaws are rated 0.0, and the company says these are not exploitable in a default database environment.”
Oracle’s next critical patch update is slated for July 17th.
– Mark Brunelli