Industry players are learning quickly some of the holes Oracle closed during its latest security patch affect more than just Oracle software because Oracle’s Outside In library sees use in other products to convert files of different formats.
As well as Microsoft’s Exchange Server and SharePoint, products from Cisco, HP, IBM, Novell, Symantec, McAfee and others suffer from issues.
What is at issue is not a single hole, but 14 holes in the parsing of certain types of tile. The affected file formats are .VSD, .WSD, .JP2, .DOC, .SXD, .LWP, .PCX, .SXI, .DPT, .PDF, .SAM, .ODG and .CDR.
A program that opens a specially crafted file with the Oracle libraries has a compromise. A range of server services suffer from the issue, including anti-virus scanners like McAfee GroupShield, but also specific desktop applications that need to handle different file types, such as the Guidance EnCase Forensic toolkit.
One of the US-CERT advisories lists companies and products that use the Oracle libraries and are also vulnerable. Among them are:
• Cisco Security Agent
• Guidance EnCase Forensic
• Kroll Ontrack
• IBM OmniFind Enterprise Edition
• Novell Groupwise
• McAfee GroupShield and Host Data Loss Prevention
• Symantec Enterprise Vault
It is still unclear whether all products that use Outside In are vulnerable – there are, for example, several print servers on the list. Microsoft has a dedicated advisory published on the vulnerability. It is also unknown whether, or when, the various manufacturers will have patches for their products ready for customers.