Oracle pre-releases patch data

Oracle's latest patch bundle - the first to be detailed before release - includes 50 new critical updates

Oracle has started to pre-release patch update information for its software, notifying users of no less than 52 new critical updates that it formally issued today.

Oracle pre-released the patch update information on Thursday, saying that there are “27 new security fixes for Oracle Database products, 10 of which may be remotely exploitable without authentication”.

For Oracle’s Application Server, there were 12 patches of which three-quarters were remotely exploitable.

However, the chief executive of Oxford-based database and application assurance vendor Secerno, Paul Davie, warned that although this was a step in the right direction, “users need to beware : it’s not the vendor vulnerabilities they need to focus on but the critical weaknesses in their development processes”.

Secerno pointed out that patch management of database flaws is only part of the problem, and warned that badly written web applications for database access are a key cause for concern, especially SQL injection attacks, which can be used to gain complete control of SQL databases.

Sans Institute senior security analyst Ed Skoudis said that his organisation's penetration testing operations “discover SQL injection flaws in approximately 40 percent of the applications we analyse”.