In-Depth

Oracle, Apple Issue Security Fixes

Microsoft isn't the only vendor issuing security "<em>mea culpa</em>"s lately. Oracle and Apple got into the action last week, too.

• By Stephen Swoyer
• 04/22/2008

Oracle Corp., whose applications and database software has increasingly come under the security microscope over the last few years, issued an April Critical Patch Update (CPU) that addresses a total of 41 bugs across a range of its products. It's Oracle's second CPU update this year.

Oracle isn't the only prominent vendor copping to a security mea culpa. Apple Corp. last week issued fixes for its Safari Web browser for Windows as well as for Safari running on Mac OS X. The latter vulnerability, which was exploited to sensational effect at this year's CanSecWest security conference (as part of a "PWN TO OWN" contest), consists of a heap-overflow vulnerability in WebKit, the open-source browser engine used by Safari and other browsers.

At ConSecWest, cracker superstar Charlie Miller was able to exploit this vulnerability to take complete control of a MacBook Air system. This year, PWN TO OWN pitted Mac OS X, Windows Vista Ultimate Edition SP1, and Ubuntu Linux 7.10 against one another. Ubuntu eventually triumphed, after first MacOS X and then Windows Vista were successfully hacked.

The bugs that Oracle patched last week are every bit as sensational -- and potentially more dangerous (given Oracle's enormous position in the enterprise) -- than Apple's mea culpa.

All told, Oracle issued 17 fixes for its database products, 11 for its E-Business Suite, six for its Siebel Enterprise Suite, three for its Application Server, three for its combined PeopleSoft-JD Edwards Suite, and one for Oracle Enterprise Manager. Of the 15 database-specific vulnerabilities, only one can be remotely exploited without authentication, according to Oracle.

More serious, however, are a trio of flaws in Oracle Application Server (OAS).

All three flaws can, under certain circumstances, be remotely exploited, according to Oracle officials. "All three of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password," writes Oracle in its security advisory. This is of a piece with a larger trend: seven of the 11 vulnerabilities that Oracle patched in its E-Business Suite can also be (a) remotely exploited without (b) a user name or password.

One of these flaws doesn't strictly affect OAS itself: Oracle acknowledged a vulnerability in its Jinitiator offering, a technology which makes it possible for client applications based on Oracle Forms to run in a browser context.

The Jinitiator vulnerability, the advisory says, is applicable to client-only installations and only affects the client portion of OAS. In other words, the vulnerability isn't strictly endemic to OAS itself.

Oracle's April CPU update is a much bigger beast than its January predecessor. That CPU patched 26 different bugs in Oracle's product stack.

Oracle's next planned CPU deliverable is slated for July.