A point of contention and confusion regarding Oracle Critical Patch Update (CPU) database patches is that only a limited set of database patchsets are supported.  For the January 2008 CPU, only the patchsets 9.2.0.8, 10.1.0.5, 10.2.0.2, 10.2.0....

An issue in applying Oracle Critical Patch Update (CPU) database security patches has been that the patches may include non-security related fixes.  The list of bugs fixed in the database patch readme is cryptic at best and it can be difficult...

Since several new Oracle exploits were published this week, I thought it would be a good time to provide some background on exploits.A topic of conversation whenever discussing Oracle security vulnerabilities is the complexity of exploiting such...

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, January 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday....

Oracle released the thirteenth Critical Patch Update (CPU) today.  This quarter is the same as the previous twelve with many patches and long hours in order to get all the security patches applied in a timely manner.  17 of the 27...

Here is a brief analysis of the pre-release announcement for the upcoming January 2008 Oracle Critical Patch Update (CPU) - Overall, 27 security vulnerabilities are fixed in this CPU, which is the lowest number of bugs fixed since the original...

As part of the Oracle quarterly Critical Patch Update (CPU) process, a new reminder e-mail of the upcoming CPU is being sent to all individuals who signed up for e-mail notifications on the CPU web page.  This e-mail is only a reminder that the...

I do respect Oracle for being an early adopter of their own products internally, including a very large implementation of the latest Oracle E-Business Suite.  Unfortunately, it appears that Oracle does not run all their products everywhere....

I recently had to revisit the estimates I provided in our white paper on brute forcing credit card hashes since new techniques were published that can speed the brute forcing up by at least a factor of 5 using off-the-shelf video cards.  Well,...

From the Integrigy servers statistics, I have known that we get hundreds of visits a day from the Oracle proxy and cache servers.  Many days collectively the Oracle domains (.com, .uk, etc.) are number one.  The vast majority of the hits...

When clients are deploying an unpublished supplier or customer application to the Internet for the first, they are always amazed at the sheer number of random attacks.  Granted many of these are looking for PHP pages or some other long ago...

This past March, I published a white paper looking at how some applications hash credit card numbers and how vulnerable these hashes are to brute forcing.  I developed a proof of concept to roughly estimate the timings (about 2 million hashes...

Performing security assessments on Oracle Applications implementations sometimes involves some detective work.  During our assessments, we have encountered a number of 11.5.10 CU2 implementations where the "Signon Password Hard to Guess...

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, October 16th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday....

Oracle released the twelfth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous eleven with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately like...