The Critical Patch Update delivers remedies for 14 flaws related to Oracle's Database products, five related to the Collaboration Suite, one in Application Server, 15 related to E-Business Suite and Applications, two in the Enterprise Manager, one in PeopleSoft's Enterprise portal and one in JD Edwards software.
In addition to the security fixes, Oracle said it has made "significant" changes to an existing tool that checks for default accounts and passwords. The tool was released in January as a response to the "Oracle voyager" database worm, which exploits those default items.
The business software maker has come under fire for being slow to patch security holes and for not collaborating well with researchers who find bugs. Oracle's chief security officer, Mary Ann Davidson, has responded in turn by saying bug hunters themselves can be a problem when it comes to product security.
In its patch bulletin, the company credited a number of researchers with reporting vulnerabilities. These include Alexander Kornbrust of Red Database Security, Esteban Martinez Fayo of Application Security and David Litchfield of Next Generation Security Software, who claimed discovery of Oracle Database flaws in a posting to the Full Disclosure mailing list.
