[ISN] 34 flaws found in Oracle database software

InfoSec News isn at c4i.org
Wed Aug 11 01:40:55 EDT 2004

Forwarded from: chris <chris at defcon.org>
Subject: Re: [ISN] 34 flaws found in Oracle database software 

Hash: SHA1

I attended this presentation and it is true that Dave did not do any zero 
days.  It was, however an incredible presentation on SQL 
injection/queries.  In addition, due to A/V technical difficulties, Dave 
spent the first 20 minutes of the talk doing a Q&A with the audience on 
Oracle/SQL vulnerabilities that was worth the price of admission all by 
itself.  He started the presentation after the A/V guys got the projectors 

The room was packed to capacity, SRO, and as far as I could tell no one 
walked out.  My guess is that Jaikumar Vijayan did not attend the talk.


On Mon, 9 Aug 2004, InfoSec News wrote:

> Forwarded from: security curmudgeon <jericho at attrition.org>
> [Few comments on this article..  -jericho]
> : http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html
> :
> : By Jaikumar Vijayan
> : AUGUST 03, 2004
> :
> : Oracle Corp. will soon issue patches to fix 34 different vulnerabilities
> : in its database software that were disclosed to it early this year by a
> : British bug hunter.
> Thirty four is a lot.. perhaps Oracle could stand to hire some audit
> talent.
> : "They include buffer overflows, SQL injection issues and a whole range
> : of other minor issues," said Litchfield, who discovered the flaws. He
> : said that he reported them to Oracle in January and February.
> Seven to eight month turnaround time... chalk that up to "regression
> testing"?
> : Oracle confirmed the existence of the flaws, which were discussed
> : publicly at last week's Black Hat security conference in Las Vegas, but
> : did not offer any further comment. In an e-mailed statement, a company
> : spokeswoman said that Oracle had fixed the flaws and would issue a
> : security alert "soon."
> http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html
>  All New 0-Day
>  David Litchfield, Founder, Next Generation Security Software
>  This presentation will be entirely new and never seen before. Code
>  included.
> Yet on the BlackHat CD provided, there is no bh-us-04-litchfield.pdf
> set of slides (with or without 0-day). I also heard in passing that
> Litchfield told the audience first thing that there would be no 0-day
> disclosure, instead there would only be generic SQL injection
> discussion.
> Can anyone confirm this? If true, did Jaikumar Vijayan not attend the
> talk and write this based solely on the schedule?
> _________________________________________
> Help InfoSec News with a donation: http://www.c4i.org/donation.html
Version: GnuPG v1.2.4 (GNU/Linux)


More information about the ISN mailing list