Slashdot Mirror

← Back to Stories (view on slashdot.org)

'High-Risk Vulnerabilities' In Oracle File-Processing SDKs Affect Major Third-Party Products (csoonline.com)

Posted by EditorDavid on from the high-risk-vulnerabilities dept.

itwbennett writes: "Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors," writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.

"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.
TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."

11 comments

  1. TRUMP 2016 by Anonymous Coward · · Score: 0, Flamebait

    Crooked Hillary for prison. Her incompetence has killed enough people. Maybe she'll even manage to get some people killed with her incompetence from inside prison. If I think one can do it then its her.

  2. Uncle Larry's yachts have all been patched by WaffleMonster · · Score: 3

    The way Oracle sits on so many vulns for so long until aged to perfection is quite remarkable.

    Even more remarkable nature of exploits themselves "159 can be exploited remotely without authentication"

    I can only assume Oracle shops will install this latest batch of updates and get back to business as usual without batting an eye or even contemplating pushing back at all against this batshit insanity.

    1. Re:Uncle Larry's yachts have all been patched by vtcodger · · Score: 1

      "I can only assume Oracle shops will install this latest batch of updates and get back to business as usual without batting an eye or even contemplating pushing back at all against this batshit insanity"

      What would you propose Oracle shops do instead? It's not like anyone, anywhere, has the slightest idea how to code defect free software or fix 70 million lines or so of existing defective code.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    2. Re: Uncle Larry's yachts have all been patched by K.+S.+Kyosuke · · Score: 1

      Maybe defect-free software is too high a bar but painting yourself into a corner with 70M LOCs hardly seems like the preferred alternative, considering the well-know correlations between size and absolute defect count. If the religion of complexity dies today, it won't be soon enough.

      --
      Ezekiel 23:20
    3. Re: Uncle Larry's yachts have all been patched by Billly+Gates · · Score: 1

      For one stop going to Indian sweatshops and finding the cheapest outsourcer with teams of no real world experience

      --
      http://saveie6.com/
  3. Decent editors don't post "TL;DR" by Anonymous Coward · · Score: 0

    The whole shtick is broken; summaries go up top, not at the bottom. But a summary that needs a summary? Shame on you, editor.

  4. Microsoft needs Oracle SDK to read MS Office docs? by Anonymous Coward · · Score: 0
    From the summary:

    Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange

    From Oracle's website:

    Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.

    So Microsoft needs an Oracle SDK to read MS Office documents? Now that explains a lot. (Pro tip: if you ever need to open an Office 95 doc, use OpenOffice if MS Office fails at it.)

  5. Well, at least they are being patched by davidwr · · Score: 2

    Less high-profile companies may have just as many bugs in their "golden master" code but neither they nor "white-hat" outside groups are looking for them as hard as would with a high-profile company.

    This means if I use a just-as-buggy product from a not-as-big company the only people who may know about the bugs are the people spear-phishing me and governments (which may be one in the same).

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. Hmm by ramiro623 · · Score: 1

    I just downloaded one of Oracle's SDKs..

  7. WebReady Is Not In Exchange 2013 by Anonymous Coward · · Score: 0

    WebReady document viewing is not in Exchange 2013. 2010 does, but 2013 uses the Office Web App server (like SharePoint 2013) for online document viewing, otherwise attached documents are forced to be downloaded.

  8. Re-write, don't re-use... by Anonymous Coward · · Score: 0

    This is why you should never rely on library code. If everybody wrote their own file handling utilities, then each program would have unique bugs! :)