Oracle’s last quarterly critical patch update included some changes and started using CVSS to rate the severity of their vulnerabilities. Anyone that has ever tried to truly understand Oracle vulnerabilities most likely thought this would be a much needed improvement. The whole easy, difficult, wide, low, high ratings Oracle used previously made it almost impossible to figure out just how critical are the issues and then to prioritize the patch implementation.
Shortly after the October CPU was released, researchers started to question the CVSS ratings leading many to believe that Oracle is downplaying the true risk of the vulnerabilities.
Oracle also patched 13 remotely exploitable holes in its Application Server software, the highest of which the vendor rated as 4.7 out of 10. However, a closer examination of the flaws suggest that many of the ratings should be in the 8.0 range, said Caleb Sima, CTO of SPI Dynamics, an Atlanta-based security vendor that also reported bugs to Oracle. “The problem is, Oracle didn’t give enough details [for third parties] to be able to say exactly what the score should be,” Sima said. – Source
Oracle claims that they are listening to their customers and trying to help organizations really understand the true risk. However, it appears that for many of the vulnerabilities there contained even less detail with the new format than previously. Was the only real improvement to the advisories that questionable CVSS ratings were included?
About a week ago I started receiving emails from vendors warning that if the upcoming Internet Explorer patch was installed it would break all of their applications. Some of the emails were fairly detailed and even explained that once the patch was installed there was no going back since it could not be uninstalled. I had not heard of anything prior to the emails but figured this month was going to be extra painful.
When reading the details for MS06-013 it becomes clear real quick that something is a bit off on this one when you get to the Caveats section.
From Microsoft’s website:
Caveats: Microsoft Knowledge Base Article 912812 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912812. […] Compatibility Patch – To help enterprise customers who need more time to prepare for the ActiveX update changes discussed in Microsoft Knowledge Base Article 912945 and included in Microsoft Security Bulletin MS06-013, Microsoft is releasing a Compatibility Patch on April 11, 2006. As soon as it is deployed, the Compatibility Patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent. This compatibility patch may require an additional restart for systems it is deployed on. For more information, see Microsoft Knowledge Base Article 917425.
It appears that Microsoft has packaged a non-security update with the “Cumulative Security Update” that is going to change the way ActiveX controls work in order to circumvent a recent patent lawsuit. The spin on this being included in the patch appears to be increased ActiveX security.
The bottom line is that if you want to patch Internet Explorer this month you also are going to have a good chance of breaking quite a few applications as these other change has been packaged with the update. It appears to be impossible to get a patch that just corrects the vulnerabilities. Ah, but there is some hope as Microsoft did release that “Compatibility Patch” that will give you until June to fix everything!
What am I missing here?
Here is a good article that explains the issues.