Oracle Announces 101 Patches

Oracle is the most vulnerable database system in operation today. It has more holes than a screen door and the security team at Oracle spends more time creating spin for their press releases about their flawed software than they do actually creating fixes for the products.

When I worked at DHS, Oracle was absolutely combatitive with the government when it came to publishing vulnerability notes about their software. They were the only company that demanded to be notified prior to any vulnerability announcement by telephone.

Today it was announced that out of the 101 announced flaws in their software, there are 45 vulnerabilities that are remotely exploitable, and they require no authentication.

Somehow Oracle gets away with putting out crappy vulnerable code. If this was Microsoft listing 45 remote vuls, you would never hear the end to the carping about the vulnerabilities.

From ComputerWorld here:

Oracle releases 101 patches in quarterly update

October 17, 2006 (Computerworld) — Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.

The patches are part of Oracle’s scheduled quarterly critical patch updates. The last one was in July.

A total of 45 flaws were listed as being remotely exploitable without requiring authentication by the attackers. Such flaws were highlighted for the first time in Oracle’s critical patch updates as part of the company’s effort to give customers more vulnerability-related information.

As an example of the ludicrous spin, on the Oracle Security Blog, they brag that only the Oracle Database is affected. Not the database clients. So the server, which holds all the data, which could be financial, personal data or other critical data is what is vulnerable. To remote exploit.