[ISN] 34 flaws found in Oracle database software

InfoSec News isn at c4i.org
Wed Aug 4 13:47:21 EDT 2004


By Jaikumar Vijayan 
AUGUST 03, 2004

Oracle Corp. will soon issue patches to fix 34 different
vulnerabilities in its database software that were disclosed to it
early this year by a British bug hunter.

The flaws, a majority of which are serious, affect both existing and
previous versions of Oracle's database technology, said David
Litchfield, managing director of Surrey, England-based Next Generation
Security Software Ltd.

"They include buffer overflows, SQL injection issues and a whole range
of other minor issues," said Litchfield, who discovered the flaws. He
said that he reported them to Oracle in January and February.

"Some of them can be exploited without a user ID and password, while
others require them," Litchfield said. Nearly 90% of the flaws allow
attackers to potentially gain complete administrative control of
vulnerable database servers, he said.

Oracle confirmed the existence of the flaws, which were discussed
publicly at last week's Black Hat security conference in Las Vegas,
but did not offer any further comment. In an e-mailed statement, a
company spokeswoman said that Oracle had fixed the flaws and would
issue a security alert "soon."

According to Litchfield, some of the vulnerabilities are easy to
exploit, whereas others require attackers to have fairly detailed
technology skills. He said that his company has exploits available
that take advantage of the flaws but that it has no plans to release
them publicly.

Litchfield also claimed that Oracle told him patches were available to
fix the problems a few months ago. But the company appears to be
waiting for an updated patching process to be ready before releasing
the fixes, he said.

"It is my opinion that they could have run the old patching process up
until the time that the new patching procedure was ready. There really
is no point in exposing users to unnecessary risks," he said.

Litchfield and his brother, Michael Litchfield, have discovered
several previous vulnerabilities in Oracle software, including 20 on
the very day the database giant launched its "Unbreakable" marketing

The discovery of such flaws by people who go specifically looking for
them should come as no surprise given the size and complexity of
today's application software, said Bruce Schneier, co-founder and
chief technology officer of Counterpane Internet Security Inc. in
Mountain View, Calif.

"This could happen to anyone. It tends to happen to Microsoft a lot,"  
Schneier said. "The bugs are already there. All you can do is react
when somebody points them out."

The companies that make it their mission to discover such flaws are
often driven by a "bunch of motivations," Schneier said.

More information about the ISN mailing list