Top 10 Software Stories Of 2010

Oracle is set to release a massive, quarterly security update on Tuesday that includes 66 patches for 28 products.

Of the bugs to be patched, 34 are described as "remotely exploitable without authentication" and score a "10" -- the most severe type of vulnerability -- on the Oracle Common Vulnerability Scoring System (CVSS). "That's roughly equivalent to what Microsoft deems critical -- in other words, the sort of bug which might allow a network worm to spread without user involvement," blogged Paul Ducklin, the head of technology for Sophos in Asia Pacific.

The products with the most severe vulnerabilities are Oracle Audit Vault, JRockit, Solaris, and WebLogic Server. Notably, all four products "may be exploited over a network without the need for a username and password," said Oracle. That's especially dangerous for a security application such as Oracle Audit Vault, which is meant to create a verifiable audit trail.

According to Daniel Wesemann of the Internet Storm Center, "[it's] always disappointing when a so-called security component makes the system actually more vulnerable."

While 28 products are to be patched, several of the products are actually product bundles, such as Oracle Sun Products Suite, which includes 10 affected products -- such as the Solaris operating system and Java System Access Manager -- as well as Oracle Fusion Middleware, which includes nine affected products, such as HTTP Server and JRockit.

The Oracle Open Office suite -- Open Office, StarOffice, StarSuite -- also contains severe vulnerabilities that rate a 9.3 on the CVSS scale, while vulnerabilities in Oracle Database Server rate a 7.5.

Other products getting security updates include Oracle Database 10g and 11g, Secure Backup, E-Business Suite 11i and 12, and PeopleSoft.