Oracle Plugs 122 Security Holes 25
Aditi.Tuteja writes "Oracle has released a 'critical patch update' that plugs 122 security vulnerabilities across the company's databases, enterprise applications, developer tools and middleware. Oracle has also started providing additional information indicating whether a flaw can be exploited by remote attackers without any authentication credentials.
But, Oracle has failed to deliver its patches on all platforms. Patches for Oracle databases 9.2.0.6 and 10.1.0.5 will not be available until the end of this month. Users running Oracle 10.2.0.1 on Linux on Power servers will also have to wait until the end of October, as will users running Oracle 10.2.0.2 on Windows."
Re: (Score:1, Funny)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Last I checked, we're talking anything between 66% to more than double the platforms, and a mean time to a quick fix for a critical bug in weeks vs months.
Not to mention you can usually get about three next-minor-version-number upgrade to the free stuff between "fixes" of the non-free.
I can just hear the Oracle DBAs being happy they had open vulnerabilities and no fixes for soo l
Good (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2, Insightful)
Unbreakable. (Score:4, Funny)
Re: (Score:1)
Re:Unbreakable. (Score:5, Informative)
But like I said... hopefully they've changed their definition of "fix".
On 1/7/05, David Litchfield wrote:
> Some of Oracle's "fixes" simply attempt to stop the example exploits I sent
> them for reprodcution purposes. In other words the actual flaw was not
> addressed and with a slight modification to the exploit it works again. This
> shows a slapdash approach with no real consideration for fixing the actual
> problem itself.
> As an example of this, Alert 68 attempts to fix some security holes in some
> triggers; the flaws could allow a low privileged user to gain SYS privileges
> - in other words gain full control of the database server. The example
> exploit I sent to Oracle contained a space in it. Oracle's fix was to ignore
> the user's request if the input had a space. What Oracle somehow failed to
> see or grasp was that no space is needed in the exploit...
> Here is another class of thoughtless "fix" implemented by Oracle in Alert
> 68. Some Oracle PL/SQL procedures take an arbitrary SQL statement as a
> parameter which is then executed. This can present a security risk. Rather
> than securing these procedures properly Oracle chose a security through
> obscurity mechanism. To be able to send the SQL query and have it executed
> one needs to know a passphrase. This passphrase is hardcoded in the
> procedure and can be extracted with ease. So all an attacker needs to do now
> is send the passphrase and their arbitrary SQL will still be executed...
> In other cases Oracle have simply dropped the old procedures and added new
> ones - with the same vulnerable code!
>
> cases where a flaw was fixed properly, we find the same flaw a few lines
> further down in the code. The DRILOAD package "fixed" in Alert 68 is an
> example of this; and this is not an isolated case. This is systemic. Code
> for objects in the SYS, MDSYS, CTXSYS and WKSYS schemas all have flaws
> within close range of "fixed" problems. These should have been spotted and
> fixed at the time.
Original Litchfield rant (it's a jaw-dropper if you've never read it) -
http://groups.google.com/group/mailing.unix.bugtr
Further down in the thread...
19-jul-2005 - Advisory: Various Cross-Site-Scripting Vulnerabilities in Oracle Report (Not fixed after 700+ days)
19-jul-2005 - Advisory: Read parts of any XML-file on the application server via Oracle Report (Not fixed after 700+days)
19-jul-2005 - Advisory: Read parts of any file on the application server via Oracle Report (Not fixed after 700+days)
19-jul-2005 - Advisory: Overwrite any file on the application server via Oracle Report (Not fixed after 700+ days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Report from any directory (Not fixed after 700+ days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Forms from any directory (Not fixed after 700+ days)
Re:Unbreakable...Break it. (Score:5, Insightful)
Business only understands one thing: money. So this needs to cost them money.
So to me the solution is simple: Researchers privately disclose bugs to the vendor along with a Public Release Date....maybe 6-weeks in the future. Non-Negotiable.
Fixed or not*, the bug is fully and publicly disclosed on that date. Since OSS (and MS DRM! heheh) has shown that bugs can be fixed in days or at the most a few weeks this should give a motivated company plenty of time to fix it. And only money motivates a business.
When vendors start getting threatning calls/letters from their customers (either to sue or jump ship) due to unpatched exploits that are public knowledge then they will be forced to fix them.
Oh sure, the vendors will cry foul (and sadly some will probably try and sue researchers instead of fixing their problems) but the fact is that if one person can find an exploit then a second person can find this exploit. And the other guy might not have noble intentions. Every day that a findable exploit exists is a day that the system is at risk...
*This is actually important, b/c if you read the rant you'll note that the 'fixes' are half-assed. I'm pretty confident that if the exploit was going to be made public that the fixes would be more robust...or the company will go bust.
Re: (Score:2)
1. Vendors need an incentive to write bug free code. If vendors know that they can get away with sell-then-patch, they will do just that. But if bugs mean public exploits, angry users, and bad press, they will spend more money on security.
2. Black hats often have the security hole before you. So you're not doing the vendors much of a favor by giving them six weeks; you're just shielding th
Re: (Score:2)
I think most people agree that writing 100% bug free code is impossible. Basing a plan on the impossible is seldom a good idea.
Yup. In the current 700+ day scenario it's easy for this to be true. Shorten the time line and this will be dramatically reduced.