This week's relentless onslaught of security patches continued late Tuesday afternoon when Oracle released its quarterly Critical Patch Update, a healthy dose of 86 security updates across all major product lines including Oracle Database and MySQL Server.
The most serious may be a critical privilege escalation vulnerability (CVE-2012-3220) in Oracle Database Server. An attacker who is authenticated and has the Create Table privilege can exploit this flaw to gain control of the underlying Windows systems.
"This type of vulnerability would likely be exploited in conjunction with another attack to elevate privileges from the database to the operating system," said Ross Barrett, senior manager of security engineering at Rapid7. "Oracle Database is their flagship product and to say it is widely deployed is putting it mildly."
Oracle has been under harsh criticism for much of the young year, primarily for a zero-day vulnerability in Java 1.7u10. Exploits for the previously undisclosed flaw were being hosted in a number of exploit kits and attacks have already been seen in the wild dropping ransomware and assorted other malware. Oracle did respond quickly with an out-of-band Java 1.7 u11 update that addressed the sandbox-bypass vulnerability, but security experts still recommend disable Java and warn there are ways to bypass the security enhancements in the latest Java update.
Continued : https://threatpost.com/en_us/blogs/oracle-releases-86-patches-its-january-critical-patch-update-011613
Oracle's January patches close 86 holes
Oracle delivers 86 security fixes
Oracle Fixes 86 Security Flaws in Massive Critical Patch Update
Also See: Vulnerabilities / Fixes - January 16, 2013
Free trip to the Grand Prix
Don't miss your chance to win a trip to the Formula 1 Grand Prix in Monaco for you and a plus-one.