Talk about a mammoth patch day. Oracle announced that it released 88 security patches for vulnerabilities in 35 products. Of course, Oracle has Patch Quarters (as opposed to Microsoft's monthly Patch Tuesday). However, as Wolfgang Kandek at Qualys said in his blog post:
Eight Layers of Security Every Computer Should Have
From using the latest version of your favorite browser to ensuring that your network has monitoring tools in place that send up red flags when they see unusual behaviors, be protected.
Oracle patches are usually so massive and contain fixes for so many products that a good software inventory system becomes absolutely crucial to see where to act first and where to apply several patches in concert.
According to the Application Security TeamSHATTER blog, the specific products fixed by Oracle this time around include Database, Fusion Middleware, Enterprise Manager, E-Business Suite, Supply Chain, PeopleSoft, Siebel Health Sciences, Financial Services, Primavera, various Sun products and MySQL. (Java fixes are on a different schedule and aren't included in this batch.)
Patches and fixes are so commonplace these days that when I first heard about the Oracle fixes, I just shrugged and thought, "OK, this is pretty routine, although that seems like a pretty high number." But then I saw this tidbit: TeamSHATTER had not only pinpointed seven out of the 12 database vulnerabilities, one of those problems was reported on in October 2009 - two-and-a-half years ago.
It takes more than two years to fix a reported problem? That almost makes Apple's taking a few months to fix its Flashback Trojan problem seem speedy.
I know you can't wave a magic wand and there is no genie in a bottle to blink her eyes to make everything all better. But as the folks at TeamSHATTER told me, if security researchers know about a hole, there is a very good chance the bad guys do too. And who ends up hurt by this in the long run? The companies and computer owners who use those products.
Perhaps this mammoth fix is a good sign for Oracle. As the TeamSHATTER blog pointed out:
Let's hope this will break the trend of declining fixes for Oracle's flagship Database product.