Oracle drops 248 – count 'em – 248 patches, to fix ... something Oracle has just pushed out its quarterly batch of critical patches, so sysadmins had best get busy. The bug-splat haul covers a record-setting 248 individual fixes, with the full list here. The Oracle E-Business Suite gets the biggest serve, with a whopping 78 bugs patched, 68 of which are remotely exploitable without …
"There's a small sigh of relief for MySQL Server users, since although the patch-round covers 22 vulnerabilities, only one is remotely exploitable."
So more vulnerabilities in one go than MS SQL Server has had ever!
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-251/opdos-1/Microsoft-Sql-Server.html
>Sure it is. Worked so well for say Open SSL across 18+ years didn't it?
Eventually found, fixed and disclosed.
Potentially found, exploited and not disclosed for 18+ years.
I'm not sure your suggestion of relying on the vulnerability disclosure policy of governments is a particularly great idea.
Corporates, hmmm, it would be interesting to know how many corporates have audited the source code of SQL Server. Having theoretical access to audit is a long way off having the technical skill set, time and money to do so.
Yes, downvoter.
So how's that gonna work?
"Here is the source code, you can audit it to your heart's content. It's a hairball of historical accidents with lots of bullshit crammed into the kernel that shouldn't even be there in the first place, you may want to do a very precise audit because we not entirely sure what some of that code does ourselves. But you have an army of top Microsoft OS specialists and gigabytes of traceable requirements, right, to make this more than an exercise in pretend due diligence?
When you are done, we will compile it for you ...
MWAHAHAHA!"
"It's a hairball of historical accidents with lots of bullshit crammed into the kernel that shouldn't even be there in the first place"
If you think that about a microkernel OS like Windows, what about Linux?! It's way way worse in that regard.
"to make this more than an exercise in pretend due diligence?"
That seems to work for the Open Source world.
"If you think that about a microkernel OS like Windows, what about Linux?! It's way way worse in that regard."
I agree a microkernel OS *should* be smaller and therefore easier to validate but Windows is not a microkernel OS because it runs stuff like font file parsing & rendering in ring 0. By contrast Linux does not render fonts in ring 0 - so that's *less* code to validate in the Linux case.
A lot of this is a moot point anyway - because the modern Wintel hardware has a metric shit load of protection domains that overlap, there are at least two *more* privileged layers above classic "ring 0" these days. Folks need to audit the firmware on the processors and motherboard these days, folks on old school RISC platforms have life a bit easier. :)
Oracle gives its risk matrices to everyone but keeps the details of individual CVEs (Common Vulnerabilities and Exposures) to users with log-ins to its support portal.
This is incorrect. The Patch Availability documents linked to from the announcement are just that - they detail which patches to download for which product versions and link to other support docs for known issues, non-standard patching instructions, etc. They don't provide paying customers any more detail on the vulnerabilities than what Joe Public can infer from the risk matrices, which shouldn't be surprising:
https://www.oracle.com/support/assurance/vulnerability-remediation/disclosure.html
(I have my own support contract with Oracle as an independent consultant, so the above is based on first-hand readings of the docs.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
