Computerworld - Oracle Corp. released patches for two security holes in its 9i database last week that could have allowed an attacker to take over or run code on affected systems.
The more serious of the two bugs is in the Net Listener component of 9i, which "listens" for client requests for use of the database, according to a security bulletin by U.K.-based Next Generation Security Software Ltd. (NGSSoftware), the company that originally discovered the flaws. A buffer-overflow problem in Net Listener could let an attacker overrun the memory assigned to the application, allowing attack code to be run in the database's security context, NGSSoftware said.
The hole is exploitable from remote computers and affects all Version 9 releases of Oracle9i running on Windows and VM, according to Oracle.
The second vulnerability is also the result of a buffer overflow, this time in Oracle's 9iAS Reports Server, NGSSoftware said. If an attacker overran the buffer in the software, he would be able to run code in the server's security context, which is often the local system context on Windows systems, the company said.
The flaw affects Oracle 9iAS Reports Server 1.0, but not 2.0, and any Oracle product containing Reports Server 6.0.8.18.0 and older, Oracle said.
Both patches are available to Oracle customers at the company's Metalink Web site, which requires registration.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
