A fresh bug has emerged in Oracle's critical patch update (CPU) for October, adding to a barrage of recent criticism of Oracle's security practices. The bug means that system administrators may think they're protected against one security flaw, when in fact protection hasn't been installed, according to Next Generation Security Software (NGSS).

Separately, security researchers said a new Symantec update designed to protect against a recently revealed Microsoft Windows flaw is causing problems.

The incidents are part of what seems to be a recent trend - bugs in security software causing nearly as much trouble as the flaws they're supposed to protect against.

Oracle's patch fails to install some components on all operating systems, according to according to a NGSS email to the Bugtraq mailing list on Tuesday. "The October 2005 CPU fails to install the patched Oracle Text (CTXSYS) components on Oracle on all operating systems. This is due to a problem with the install sql script," NGSS said.

"Even if you have Oracle Text installed the patch installer will not install the updated PL/SQL packages. The fallout from this means that your servers may still be vulnerable to the Oracle Text flaws," the company said.

The flaw in question allows users with low privileges to gain administrator privileges, and in some cases can be exploited from the Internet without a user ID or password, NGSS said. If a system is still vulnerable, NGSS recommended running the ctxcpu.sql install script manually.


NGSS said its examinations since the CPU's appearance have also revealed "new vulnerabilities and problems with the patches for old vulnerabilities". It didn't give details, but said the problems have been reported to Oracle.

David Litchfield of NGSS, who discovered eighteen of the 88 bugs fixed in October's update, said shortly after the CPU's appearance that it could allow attackers to continue taking advantage of some of the bugs.

"Having downloaded and given the Oracle October patch a cursory examination, some of the flaws Oracle told me were being fixed remain exploitable," he wrote in a message to Bugtraq. "Once again the patch is not sufficient."

Oracle has come under increasing pressure over its security practices this year. Besides the October CPU problems, in July Oracle released two sets of database patches to fix flaws in previously released security patches. One of the affected fixes in July was itself a fix to an earlier set of patches - in other words, a patch for a patch for a patch.

Earlier this year a German security firm released details of several high-risk Oracle flaws, along with workarounds, claiming to have seen no action from Oracle two years after reporting the bugs. The firm said the delay was more evidence that Oracle's patching system is in disarray.

Oracle has said it stands behind the security of its products and takes security seriously.

NGSS actually had some kind words for Oracle, saying that its practices seem to be improving. "Whilst there are problems with the Oracle October 2005 Critical Patch Update, it's not all bad news. There is a great deal of evidence in this patch that Oracle are beginning to treat security properly."

Symantec false positives
Meanwhile, security research centre SANS Institute said on Thursday that users have been reporting problems with a recent Symantec update.

The problem is with definition files for Symantec Antivirus, specifically 11/9/2005 rev. 25, according to the SANS Internet Storm Center. The definition file includes a pattern for Bloodhound.Exploit.45, designed to detect files exploiting the vulnerability Microsoft patched earlier this week in update MS05-053.

That flaw, involving the rendering of EMF files, could allow attackers to take over a system, according to Microsoft.

Unfortunately, the Symantec definition isn't very good at distinguishing between malicious EMF files and benign ones, according to SANS. "As it turns out, this pattern seems to be generating a lot of false positives in almost any EMF file, certainly those generated by Excel (and in turn this prevents Excel from functioning properly)," said SANS in an advisory.

The organisation said the workaround is currently to exclude EMF files from scanning - which would of course allow malicious files to pass.