Oracle Critical Patch Update Announcement for July 2012 Review

Oracle has provide his Critical Patch Update (CPU) Pre-Release Announcement for July 2012 how will be released on Tuesday, July 17. This CPU contains 88 security vulnerability fixes across hundreds of Oracle products… Some of the vulnerabilities affect multiple Oracle products. On the 88 security vulnerabilities and 37 of them may be remotely exploitable without authentication, this represent 42% of the vulnerabilities. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Fusion Middleware.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

4 vulnerabilities are reported for “Oracle Database Server” and 3 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.0. Affected components are “Core RDBMS” and “Network Layer“.

Oracle Application Express Listener

1 vulnerability his reported for “Oracle Application Express Listener” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 7.8. Affected component is “Oracle Application Express Listener“.

Oracle Secure Backup

2 vulnerabilities are reported for “Oracle Secure Backup” and both may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “Apache” and “PHP“.

Oracle Fusion Middleware

22 vulnerabilities are reported for “Oracle Fusion Middleware” and 8 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 10.0. Affected components are “Enterprise Manager for Fusion Middleware“, “Oracle HTTP Server“, “Oracle JRockit“, “Oracle MapViewer“, “Oracle Outside In Technology” and “Portal“.

Oracle Hyperion

1 vulnerability his reported for “Oracle Hyperion” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 4.3. Affected component is “Hyperion BI+“.

Oracle Enterprise Manager Grid Control

1 vulnerability his reported for “Oracle Enterprise Manager Grid Control” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 6.8. Affected component is “Enterprise Manager for Oracle Database“.

Oracle E-Business Suite

4 vulnerabilities are reported for “Oracle E-Business Suite”  and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Oracle Application Object Library” and “Oracle E-Business Intelligence“.

Oracle Supply Chain Products Suite

5 vulnerabilities are reported for “Oracle Supply Chain Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Oracle AutoVue” and “Oracle Transportation Management“.

Oracle PeopleSoft Products

9 vulnerabilities are reported for “Oracle PeopleSoft Products” and none of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.5. Affected components are “PeoleSoft Enterprise PeopleTools“, “PeopleSoft Enterprise HRMS” and “PeopleSoft Enterprise PeopleTools“.

Oracle Siebel CRM

7 vulnerabilities are reported for “Oracle Siebel CRM” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected component is “Siebel CRM“.

Oracle Industry Applications

1 vulnerability his reported for “Oracle Industry Applications” and is not remotely exploitable without authentication. The CVSS score of this vulnerability is 2.8. Affected component is “Oracle Clinical Remote Data Capture Option“.

Oracle Sun Products Suite

25 vulnerabilities are reported for “Oracle Sun Products Suite” and 17 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “GlassFish Enterprise Server“, “Oracle iPlanet Web Server“, “Solaris“, “Solaris Cluster” and “SPARC T-Series Servers“.

Oracle MySQL

6 vulnerabilities are reported for “Oracle MySQL” and none of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected component is “MySQL Server“.

Microsoft July 2012 Patch Tuesday Review

Microsoft has release, the 10 July 2012, during his July Patch Tuesday, two security advisories and nine security bulletins. On the two security advisories one is preventing a future 0day disclosure and on the nine security bulletins six of them are fixing publicly disclosed vulnerabilities.

Microsoft Security Advisory 2719662

MSA-2719662 recommend to disable as soon as possible Windows Sidebar and Gadgets available on Windows Vista and Windows 7. Possible execution of arbitrary code could be exploited through Windows Sidebar when running insecure Gadgets. KB-2719662 Fix IT solution will provide you a way to disable Windows Sidebar and Gadgets. Microsoft thanks Mickey Shkatov and Toby Kohlenberg for this MSA.

It is quiet surprising and disturbing that Microsoft recommend to disable Windows Sidebar and Gadgets how are used by a bunch of end users. The argument used to push the user to deactivate these stuffs is that Windows 8 will depreciate Sidebar and Gadgets. Why disable features from a supported version because the new version will no more use these features. You can compare this deactivation as disabling Widgets under Mac OS X. I think that the reason is quiet simple, Mickey Shkatov will present, at Black Hat US 2012 the 26 July, a session called “We have you by the Gadgets“. And I feel that the discovered vulnerabilities are quiet to long and hard to fix, and that Microsoft has decide to no more support Sidebar and Gadgets.

Microsoft Security Advisory 2728973

MSA-2728973 is the suite of the Flame malware attacks consequences, more Microsoft digital certificates have been moved to the “Untrusted Certificates Store”. The main reasons is that Microsoft is considering that the affected digital certificates are outside his secure storage practice, and that the RSA keys length are less than 2048 bits, how is considered as a best practice. KB-2728973 will correct these issues. Just remember that in Jun 2012 Microsoft had decide to block RSA keys that were under 1024 bits.

What is interesting is that these keys were considered not following Microsoft secure storage practice. Were these keys accessed by unnecessary custodians ? Were the keys not stored in an encrypted format or the key-encrypting keys not stored separately from data-encrypting keys ? Were the keys storage locations stored in multiple uncontrolled locations and forms ? Were the keys distributed in an insecure manner ? No answers 🙂

MS12-043 – Microsoft XML Core Services

MS12-043 security update, classified as Critical, allowing remote code execution, is the fix for CVE-2012-1889 found exploited in the wild in Jun 2012. This vulnerability was demonstrated by a Metasploit PoC the 15 Jun and then integrated into Blackhole exploit kit at the end of Jun.

MS12-044 – Cumulative Security Update for Internet Explorer

MS12-044 security update, classified as Critical, allowing remote code execution, is fixing two vulnerabilities CVE-2012-1522 and CVE-2012-1524. Both vulnerabilities were reported through VeriSign iDefense Labs coordinated vulnerability disclosure. CVE-2012-1522 was discovered by Jose A. Vazquez and CVE-2012-1524 discovered by Omair.

MS12-045 – Microsoft Data Access Components [MDAC]

MS12-045 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-1891. This vulnerability was reported through ZDI coordinated vulnerability disclosure.

MS12-046 – Visual Basic

MS12-046 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-1854. This vulnerability has been discovered exploited in the wild since Mid-March ! The targeted attacks were focusing on Japanese organizations.

MS12-047 – Windows Kernel-Mode Drivers

MS12-047 security update, classified as Important, allowing escalation of privilege, is fixing two vulnerabilities CVE-2012-1890 and CVE-2012-1893. CVE-2012-1890 has been publicly disclosed and discovered by Nicolas Economou of Core Security Technologies and Qihoo 360 Security Center. CVE-2012-1893 was reported through Lufeng Li of Neusoft Corporation coordinated vulnerability disclosure. CVE-2012-1893 has a public exploit code but limited to local DoS. Some details of CVE-2012-1890 have been provided by Core Security Technologies.

MS12-048 – Windows Shell

MS12-048 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-0175. This vulnerability was reported through Adi Cohen of IBM Security Systems coordinated vulnerability disclosure. Vulnerability details have been provided by Adi Cohen of IBM Security Systems.

MS12-049 – TLS

MS12-049 security update, classified as Important, allowing information disclosure, is fixing one vulnerability CVE-2012-1870. This vulnerability has been publicly disclosed.

MS12-050 – SharePoint

MS12-050 security update, classified as Important, allowing escalation of privilege, is fixing 6 vulnerabilities CVE-2012-1858CVE-2012-1859CVE-2012-1860CVE-2012-1861CVE-2012-1862 and CVE-2012-1863.

CVE-2012-1858 has been publicly disclosed by Adi Cohen of IBM Security Systems and could allow XSS attacks. A proof of concept code is available on IBM Security Systems.

CVE-2012-1859, CVE-2012-1860, CVE-2012-1861, CVE-2012-1862 and CVE-2012-1863 were reported through coordinated vulnerability disclosure.

MS12-051 – Microsoft Office for Mac

MS12-051 security update, classified as Important, allowing escalation of privilege, is fixing one vulnerability CVE-2012-1894. This vulnerability has been discovered exploited in the wild during targeted attacks against Tibet organizations.