Slashdot Mirror

← Back to Stories (view on slashdot.org)

'High-Risk Vulnerabilities' In Oracle File-Processing SDKs Affect Major Third-Party Products (csoonline.com)

Posted by EditorDavid on from the high-risk-vulnerabilities dept.

itwbennett writes: "Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors," writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.

"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.
TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."

6 of 11 comments (clear)

  1. Uncle Larry's yachts have all been patched by WaffleMonster · · Score: 3

    The way Oracle sits on so many vulns for so long until aged to perfection is quite remarkable.

    Even more remarkable nature of exploits themselves "159 can be exploited remotely without authentication"

    I can only assume Oracle shops will install this latest batch of updates and get back to business as usual without batting an eye or even contemplating pushing back at all against this batshit insanity.

    1. Re:Uncle Larry's yachts have all been patched by vtcodger · · Score: 1

      "I can only assume Oracle shops will install this latest batch of updates and get back to business as usual without batting an eye or even contemplating pushing back at all against this batshit insanity"

      What would you propose Oracle shops do instead? It's not like anyone, anywhere, has the slightest idea how to code defect free software or fix 70 million lines or so of existing defective code.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    2. Re: Uncle Larry's yachts have all been patched by K.+S.+Kyosuke · · Score: 1

      Maybe defect-free software is too high a bar but painting yourself into a corner with 70M LOCs hardly seems like the preferred alternative, considering the well-know correlations between size and absolute defect count. If the religion of complexity dies today, it won't be soon enough.

      --
      Ezekiel 23:20
    3. Re: Uncle Larry's yachts have all been patched by Billly+Gates · · Score: 1

      For one stop going to Indian sweatshops and finding the cheapest outsourcer with teams of no real world experience

      --
      http://saveie6.com/
  2. Well, at least they are being patched by davidwr · · Score: 2

    Less high-profile companies may have just as many bugs in their "golden master" code but neither they nor "white-hat" outside groups are looking for them as hard as would with a high-profile company.

    This means if I use a just-as-buggy product from a not-as-big company the only people who may know about the bugs are the people spear-phishing me and governments (which may be one in the same).

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  3. Hmm by ramiro623 · · Score: 1

    I just downloaded one of Oracle's SDKs..