back to article Oracle patches Solaris 10 hole exploited by NSA spyware tool – and 298 other security bugs

Oracle today emitted a huge batch of 299 security fixes for its software – including a patch for a vulnerability exploited by a leaked NSA tool that can hijack Solaris systems. Details of the massive April dump can be found here: Oracle describes the updates as "critical," and urges admins to install them "without delay." …

  1. Anonymous Coward
    Anonymous Coward

    Money first, patches later

    "if you can" is the nub of the issue. Patches are not free and I doubt that they will refresh the free Solaris 10 version. Fine for corporate folk, not for hobbyists.

    1. Paul Crawford Silver badge

      Re: Money first, patches later

      Lets face it, Oracle dose not give a flying fsck about any hobbyist.

      When Sun did well with Solaris it was when they engaged with universities, etc, to practically give it away so a generation of computer science students left knowing and generally liking it. Oddly enough that translated in to future sales when they got jobs in the real world.

      Those days are long gone and not coming back, now its only Windows & Linux/Android.

      1. Anonymous Coward
        Anonymous Coward

        Re: Money first, patches later

        > Those days are long gone and not coming back, now its only Windows & Linux/Android.

        The BSD's seem to be growing pretty well too.

    2. patrickstar

      Re: Money first, patches later

      Not that I'm a fan of Orrible, but for those of you with a shitload of legacy systems and no support:

      The remote is fixed in the freely downloadable version.

      dtappgather shouldn't be present on a server, and if it is, you can just remove the SUID bit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Money first, patches later

        Could someone provide a link, because I'm buggered if I can find the link on their site...

  2. John Smith 19 Gold badge

    The difference between a hardware company and a software company.

    Sun supplied Solaris as their hardware needed to run an OS.

    Oracle need hardware to run on but expect to charge you for whatever software (inc their OS) you run.

    BTW how is the "No support below Solaris 11" different from the "No support below Windows 10" of Microsoft?

  3. Matt Bryant Silver badge
    Big Brother


    So a set of old vulns, including one so old even Oracle had patched it by 2012. Makes you wonder what other vulns the NSA boys and girls have found since..

  4. Robert Helpmann??

    From the Department of Redundancy Department

    "Get updating ASAP, if you can."

    The P in ASAP stands for "possible" for which "if you can" is a simple rephrasing. If you cannot, then it's not possible for you to do so.

  5. Anonymous Coward
    Anonymous Coward

    NSA love

    Isn't it great how much the NSA cares about the US. Soon as their tools were leaked, they went right to the vendors and told them what needs to be patched to prevent the massive fraud that would occur from common criminals having their tools.

    Oh they didn't, just who do they protect? oh, the bad guys,,, never mind.

  6. Anonymous Coward
    Anonymous Coward

    They didn't actually fix CVE-2017-3622 - their docs simply state: "Patches are planned but not yet available". Solaris 10 is still wide open.

    1. patrickstar

      It's an easily mitigated local for something that shouldn't be present on a server anyways, so the lack of urgence is somewhat understandable.

    2. Anonymous Coward
      Anonymous Coward

      There is an IDR available for Solaris 10

  7. -tim

    The last patch cluster for Solaris 9 was released Nov 2012. The last kernel for Solaris 9 was the end of Feb 2015 and called Generic_122300-70. I wonder just was and wasn't patched.

  8. gregzeng

    Secret bugs help the spy industries.

    Private IT companies must keep up a strong, invulnerable image, without any bugs. With such a narrow range of eligible code insiders, outsiders can greatly benefit by supplying spy-services to the competitors using this proprietary software.

    Seems like ex-employees, or disgruntled current employees can enjoy profitable & very secret incomes, as long as the pretence of of "perfect" bug-free software MUST be maintained.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like