Oracle plugs six-pack of flaws

The database giant issues patches for six vulnerabilities in its latest product, found by the British company that discovered the bug behind last month's Slammer worm.

Next-Generation Security Software, the British security firm that discovered the bug that allowed the Slammer worm to proliferate last month, has discovered a six-pack of flaws in Oracle's newest database product.

Redwood Shores, Calif.-based Oracle released patches for the six vulnerabilities--four deemed critical and two merely serious--last week.

Oracle has tried to structure the way it releases patches for its products, so that customers aren't inundated with fixes, said Mary-Ann Davidson, the company's chief security officer.

"I always worry about whether people apply the patches," she said. "We did revise our bug handling, so we have a formula for what is big and nasty. If it's above a certain severity threshold, we can release the fix as a one-off, before we release an (entire) patch set."

The formula includes factors such as how widely used the impacted software is and what effects exploiting the flaw can have.

The current flaws include four critical buffer overflows in various components of Oracle's database server software, including its latest Oracle 9i Release 2. Buffer overflows, or overruns, occur when an application does not handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application. Each of the four flaws could allow a malicious user--someone who already has some access to the database--to gain complete control of the server.

Two other vulnerabilities could use other Oracle components to cause a denial-of-service attack.

Davidson said that six flaws, in five advisories, may sound a daunting number but that Oracle decided that separating the alerts made more sense than releasing a single combined notification, a strategy occasionally used by Microsoft.

"We aren't going to play that game," she said. "We could have bundled all of these into one alert, but we thought that would have been confusing to people."

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Details about Apple's 'spaceship' campus from the drone pilot who flies over it

MyithZ has one of the most popular aerial photography channels on YouTube. With the exception of revealing his identity, he is an open book as he shares with CNET's Brian Tong the drone hardware he uses to capture flyover shots of the construction of Apple's new campus, which looks remarkably like an alien craft.

by Brian Tong