Oracle today emitted a huge batch of 299 security fixes for its software – including a patch for a vulnerability exploited by a leaked NSA tool that can hijack Solaris systems. Details of the massive April dump can be found here: Oracle describes the updates as “critical,” and urges admins to install them “without delay.” Among the trove is a patch for CVE-2017-3622, a local privilege escalation hole in the Common Desktop Environment on Solaris 10 that is exploited by the NSA’s now-public EXTREMEPARR tool to seize control of vulnerable machines. This flaw isn’t present in Solaris 11, according to Oracle. That leaves Solaris 7 to 9 potentially vulnerable on Sparc and x86; these operating systems are not supported by Oracle, so you’re on your own with those.
View full story
ORIGINAL SOURCE: The Register