Oracle on Tuesday released its first set of 2007 security updates with fixes for 51 flaws, 34 of which can be exploited remotely without authentication, a category typically classified as "critical" by security analysts.
Of the 51 patches -- one fewer than Oracle said would be released when it posted its first-ever pre-announcement bulletin last week -- 26 are in the company's flagship Oracle database. Other patched products include Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.
The January Critical Patch Update, as Oracle dubs its quarterly security fixes, was half as large as the previous one. That CPU, issued in October 2006, featured 101 patches.
"This wasn't the largest," says Amichai Shulman, chief technology officer of Imperva, an Israeli data center security vendor. "And we've seen a lot of these same vulnerabilities, or similar vulnerabilities in previous CPUs." It's not unusual, says Shulman, for already fixed Oracle vulnerabilities to reappear or to require repatching.
Oracle, which also recently instituted a scoring system to rank the risk of the individual vulnerabilities within a CPU, got good marks from Shulman for effort, but he says the company still has a long way to go to give customers enough information on what needs patching first.