Oracle has released a 'critical patch update' that plugs 122 security vulnerabilities across the company's databases, enterprise applications, developer tools and middleware.
The vendor issues its security updates on a quarterly basis and is now using a system that assigns a severity score to its bugs on a scale of one to 10.
Oracle has also started providing additional information indicating whether a flaw can be exploited by remote attackers without any authentication credentials. The system is designed to help administrators identify the most urgent issues.
The most important security flaw was assigned a 'base score' of 7.0 and affects Oracle Application Express. The company's flagship database received a total of 22 fixes, with the most severe ranked at 4.2.
The scores are assigned using the industry standard Common Vulnerability Scoring System which is also used by Cisco Systems.
David Litchfield, a representative from Next Generation Security Software, criticised Oracle for failing to deliver its patches on all platforms.
Patches for Oracle databases 220.127.116.11 and 10.1.0.5 will not be available until the end of this month.
Users running Oracle 10.2.0.1 on Linux on Power servers will also have to wait until the end of October, as will users running Oracle 10.2.0.2 on Windows.
"After a successful July 2006 critical patch update release, when Oracle had all the patches ready, it is disappointing to see Oracle slipping back into its old bad habits," said Litchfield.
Oracle plugs 122 security holes
By Tom Sanders on Oct 20, 2006 9:42AM