Latest news
Oracle’s Critical Patch Update for October 2012 patches 109 vulnerabilities across hundreds of Oracle products. There are several patches that require immediate attention for enterprises running Oracle paid and free software.Oracle Database Server's Core RDBMS and Oracle JRockit both should be patched as soon as possible. The Core RDBMS has a vulnerability with a base score of 10.0, which may be remotely exploitable without authentication. This flaw requires immediate attention of organizations running Oracle Core RDMBS because a successful attack would result in the complete compromise of the system’s confidentiality, integrity, and availability.
Oracle JRockit also has a vulnerability rated as 10.0. When a vulnerability is rated 10.0 on the CVSS scale it is essentially "game over" if an attacker can reach the device over the Internet or intranet.
Oracle's MySQL Server will receive fixes for 14 vulnerabilities, the highest having a CVSS score of 9.0. MySQL has two vulnerabilities that may be remotely exploitable without authentication. CVE-2012-3158, rated 7.5, is the most severe MySQL vulnerability that is remotely exploitable, and doesn't require authentication.
According to Oracle, it could lead to a compromise of confidentiality, integrity, and availability of systems. Many would argue that CVE-2012-3158 could be rated higher.
MySQL may have the most impact across the Internet. Approximately 3 million MySQL servers were discovered during a recent Internet-wide scan, and about 1.5 million of those don't have host access control lists (ACLs) and are vulnerable to the type of remote exploits that were patched this cycle.
Many were anticipating Oracle would patch Java Runtime Environment (JRE), which they did with Java Runtime Environment Version 7 Update 9 and Version 6 Update 37. I advise everyone who needs Java to update as soon as possible. Rapid7 provides a free online tool IsJavaExploitable.com which allows you to test whether you need to update your Java (and provides links to update if necessary), or verify that patching has worked.
Author: Marcus Carey, security researcher at Rapid7.
Spotlight
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
Application vulnerabilities still a top security concern
Posted on 16 May 2013. | Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
