Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Virus and Vulnerability Roundup
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Oracle releases, then pulls, zero-day database exploit code

Details about the zero-day hole sat on company portal for hours
Robert McMillan   Today’s Top Stories   or  Other Spam, Malware and Vulnerabilities Stories  
 

Sign up to receive Spam, Malware and Vulnerabilities Resource Alerts

April 10, 2006 (IDG News Service) -- Oracle Corp. appears to have accidentally released details about an unpatched security vulnerability in its database software, including sample code that could be used to exploit the problem. Details of the vulnerability were published last Thursday in a note that was briefly posted to Oracle's Metalink customer support portal.

The security community learned of the vulnerability early today when researcher Alexander Kornbrust posted an advisory on the situation to the Full Disclosure mailing list. Oracle removed the information on Friday, after being informed of the security risks associated with the Metalink note, said Kornbrust, a business director at Red-Database-Security GmbH, in Neunkirchen, Germany.

Oracle is planning to address the matter, the company said today. "Oracle is aware of information that was posted to Full Disclosure regarding a vulnerability in Oracle Database 9i and Oracle Database 10g. We plan to provide customers a patch that addresses this vulnerability in a future quarterly critical patch update," a company spokeswoman said.

The database vendor's next set of security patches is due on April 18.

In order to exploit the vulnerability, attackers would first need to have an account on the Oracle database, making this vulnerability unlikely to be exploited via the Web. However, by creating specially crafted queries, database users who would normally only be able to read data would be able to change the underlying data.

The vulnerability affects Oracle's database Versions 9.2.0.0 to 10.2.0.3 running on any operating system.

Kornbrust has published a number of work-arounds for the problem, which he does not believe will be patched in Oracle's April security updates. The work-arounds can be found on the Red-Database-Security site.

The security researcher said he decided to go public with the information on the vulnerability because enough people had already seen Oracle's Metalink note that it posed a risk for Oracle users.

It is ironic that the original source of this unpatched exploit, called a zero-day in hacker parlance, was Oracle itself, given Oracle's past criticism of researchers who disclose such vulnerabilities, Kornbrust said. "This time they can't blame security researchers," he said.

Oracle had no comment on how it came to release this sensitive information, but Kornbrust speculated that happened because of a mistake by the vendor's support organization.

"It looks to me like someone from Oracle support found information about this bug, and he was not aware that it was a security issue," he said. "I think the poor guy who published this information did this in context of helping people."


Reprinted with permission from

IDG.net
Story copyright 2008 International Data Group. All rights reserved.


Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"Well, this malware attack approach is a new one to me. If you're like a lot of people, copying and..." Read more...
"Angelina Jolie pregnancy was not a hoax; John McCain is not going to Vietnam as part of his presidential campaign;..." Read more...
Read more Security posts or See all Blogs

Vista users rush for SP1, XP owners dawdle on SP3
iPhone 3G owner sues Apple over dropped calls, slow speeds
Microsoft eases use of Photosynth
Facebook hopes new ad scheme can engage users
Microsoft to buy up to $100M in Novell SUSE Linux support vouchers
Ericsson, STMicro to form mobile chip venture
Wi-Fi in-flight comes to some American routes
How to turn a software pirate into a paying customer
Yahoo Buzz poses serious threat to Digg, some users say
Emergency notification displays to bolster Virginia Tech alert systems
More top stories...
WSJ: Microsoft hires Seinfeld to bite Apple
China blocks iTunes, users claim
Amazon launches persistent storage in the EC2 cloud
Mozilla names best Firefox 3 add-ons
Apple's MobileMe lacks key security feature
Get tough on telecommuting: 6 questions to ask before you say yes
Comcast: New traffic management plan still in the works
Online encyclopedia lists internal network security threats
Microsoft seeds WSUS with Windows 7 Client
Palm plans to sell Treo Pro without U.S. operator partner

Forgotten PC history: The true origins of the personal computer
The x86's lineage can be traced back to 1968, to a design on a napkin drawn by Austin O. "Gus" Roche, an all-but-forgotten engineer in Texas who was obsessed with creating a personal computer.
Make Leopard leap: Time-saving tips for OS X 10.5
Are you using the latest version of Mac OS X efficiently? Try our tips and watch your productivity soar.
Free Windows XP tuneup: Put new life into an old workhorse
Just because Microsoft's done with XP doesn't mean you have to be. Keep XP in the game with these downloads, tweaks and hacks.
Opinion: Why the iPhone is Apple's Trojan horse
Apple's new iPhone software is more significant for IT than the new iPhone itself, says Michael Gartenberg.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.

IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
The File Data Management Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Business Intelligence and Analytics Zone
Windows Protection Zone
Identity & Security Management Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this free webcast, for a limited time, compilments of Webroot Software!
Go to the webcast 
Managing Mobile Data with Endpoint Security for Laptops
Download this white paper now, compliments of Computerworld and Absolute Software.
(Source: Absolute Software) A NetworkWorld survey of IT professionals found that only 1 in 100 employees consistently follow data security policy. This paper outlines endpoint security for laptops that restricts data access beyond encryption to safeguard against insider threats and user error.Read this whitepaper to learn lessons from recent data breaches, limitations of traditional data security, and how to remotely wipe out data and monitor computers that go off the network.
Download this executive briefing download
Top 10 Reasons to Upgrade
Get this white paper now!
(Source: Symantec) Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Leading Analyst Firm: Penetration Testing is a Requirement
Gartner Paper: US Data Centers - The Calm Before the Storm
How Much Will an Office 2007 and Vista Migration Hurt?
View more whitepapers