Bug-squashing summer: A month’s worth of 0-day fixes among tech giants

mdasilva2014 · 2023-08-01T14:12:55-0400

Software company Oracle has released its July Critical Patch Update Advisory, fixing 508 vulnerabilities in its products. Among the fixes are 77 new security patches for Oracle Communications. Oracle warned that 57 of these vulnerabilities could be remotely exploited over a network without user credentials. One of the worst flaws is CVE-2023-20862, which has been given a CVSS score of 9.8.

Not to nitpick on just Oracle, but geez! 57 of the 77 in Oracle Communications were RCEs??? Someone's SDLC process is severely failing.

MightyPez · 2023-08-01T14:18:46-0400

mdasilva2014 said:
Not to nitpick on just Oracle, but geez! 57 of the 77 in Oracle Communications were RCEs??? Someone's SDLC process is severely failing.

Well you can't maintain a bug hunt and create an utterly baroque licensing system to squeeze every dime out of your customers.

One must prioritize.

mikeb_60 · 2023-08-01T14:22:35-0400

FWIW, Thunderbird patched to 102.13.1 on July 26. Firefox had a patch around that time too, but then released 116.0 today (August 1). Presumably, in a month or so, Thunderbird will update to that base too.

The Cumulative Update Previews for August for Win10 & 11 were released on July 26, too. Shadow Patch Tuesday.

UserIDAlreadyInUse · 2023-08-01T14:33:17-0400

Hot summer streets and my OS is burning
I sit around
Trying to smile but the exploits susceptable to drive-bys
Strange files are savin' (what did they save?)
Things I can't now decrypt
Exploited too many apps with the bad guys installing their scripts...

It's a cruel, (cruel) cruel summer
Leavin' me here on my own
Patching too, (patching too!) many apps
Data's gone

Android's the first none, my phone is too old
So I'm on my own
It's one rev behind so the telco's told me to go

It's a cruel, (cruel) cruel summer
Downloading all of the patches
It's a cruel, (it's a cruel) cruel summer
Installing in several batches
Gonna feel only it was...

Windows was hit while I looked for a film
That I used to watch
Another exploit when I tried to order some scotch...

It's a cruel, (cruel) cruel summer...

^{With apologies to Bananarama...}

RickyP784 · 2023-08-01T14:59:07-0400

Only 500+ for Oracle? Maybe time to hire more engineers and coders instead of lawyers.

internet2000 · 2023-08-01T15:11:24-0400

This seems to be just normal course of business patching? Why the alarmist headline?

jhodge · 2023-08-01T15:30:25-0400

internet2000 said:
This seems to be just normal course of business patching? Why the alarmist headline?

"This story originally appeared on wired.com"

smtc474 · 2023-08-01T16:57:38-0400

(Dis)honorable mention to BeyondTrust, which squeaked just under the wire to not publicly announce a perfect CVSS 10 bug in its remote support products on August 1, since who would need those to be trustworthy or secure?

7xq0p58q5s · 2023-08-01T17:42:15-0400

I'm guessing about a billion android devices will never get patched for these vulnerabilities.

That's probably OK though. /s

Please Law makers, just write some legislation that demands 5 years of prompt (monthly for CVSS 9.0 or above. Quarterly for the rest) updates, with the 5 years starting from when the device is no longer sold. Yes things will be more expensive, but everyone and every business benefits.

autostop · 2023-08-01T20:24:25-0400

smtc474 said:
(Dis)honorable mention to BeyondTrust, which squeaked just under the wire to not publicly announce a perfect CVSS 10 bug in its remote support products on August 1, since who would need those to be trustworthy or secure?

Beyond trust?

Did they think that name through?

SeanJW · 2023-08-02T03:26:31-0400

mdasilva2014 said:
Not to nitpick on just Oracle, but geez! 57 of the 77 in Oracle Communications were RCEs??? Someone's SDLC process is severely failing.

Oracle products aren't really a monolithic product - they're a bundle of Oracle code and open source (like most products these days really); so some of it will be Apache, some of it will be Java, some of it will be their own stuff...things like that. But you can't separate them - they'll only certify their bundle of Apache as supported, so when they patch, you get their Apache's patches.

andyross · 2023-08-02T09:18:28-0400

mdasilva2014 said:
Not to nitpick on just Oracle, but geez! 57 of the 77 in Oracle Communications were RCEs??? Someone's SDLC process is severely failing.

It's possible many of them were one common library used across multiple functions.

Search

Search

Bug-squashing summer: A month’s worth of 0-day fixes among tech giants

More options

mdasilva2014

Seniorius Lurkius

More options

MightyPez

Ars Scholae Palatinae

More options

mikeb_60

Ars Praefectus

More options

UserIDAlreadyInUse

Ars Tribunus Militum

More options

RickyP784

Ars Tribunus Militum

More options

internet2000

Smack-Fu Master, in training

More options

jhodge

Ars Tribunus Angusticlavius

More options

smtc474

Wise, Aged Ars Veteran

More options

7xq0p58q5s

Smack-Fu Master, in training

More options

autostop

Ars Praetorian

More options

SeanJW

Ars Tribunus Angusticlavius

More options

andyross

Wise, Aged Ars Veteran

More options