Oracle fixes 88 security vulnerabilities
Posted on 18 April 2012.
Oracle’s Critical Patch Update for April 2012 fixes 88 security vulnerabilities across the product line. The amount of fixes isn’t really a big concern; it's the criticality that really matters.

There is quite an uptick in criticality when you look at the Critical Patch Update from January 2012, when the highest was 7.8, while this quarter we have a couple of vulnerabilities with a criticality rating well above that.

The most critical vulnerability is CVE-2012-1695, which affects JRockit, Oracle’s proprietary Java Virtual Machine, and has a base score of 10.0. The base score of 10.0 is equivalent to a vulnerability perfect storm, spelling disaster for an organization.

JRockit has been free since May 2011 and it is unclear how many organizations this will affect. JRockit is considered middleware, which means it operates on servers to run Java applications. This remote code execution vulnerability requires no authentication and is rated as a low level attack vector. The low attack vector rating means that it would be easy to exploit over a network or Internet. This exploit will result in total compromise of the confidentiality, integrity, and availability of a victim’s system.

CVE-2012-0208, a vulnerability in the RSH protocol in Oracle Grid Engine, is rated at 9.0, as is CVE-2012-0552, a vulnerability relating to Oracle Database Server that affects the Oracle Spatial component. Both of these 9.0-rated vulnerabilities require authentication to exploit, but could result in a complete breach of the affected system.

Something like these vulnerabilities could be use to escalate privileges for an attacker after they have compromised a lower privileged account.

If organizations are running the software included in the updates, I recommend testing and patching as soon as possible, and to triage according to the CVSS Base Score.

Author: Marcus Carey, security researcher at Rapid7.


Intentional backdoors in iOS devices uncovered

Posted on 22 July 2014.  |  A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Wed, Jul 23rd