The Week of Oracle Database Bugs 56
os2man writes "After the Month of Browser Bugs and the Month of Kernel Bugs, December will have a Week of Oracle Database Bugs. This project will release, every day for a week, a new 0-day bug specific to Oracle in order to show the current status of its [in]security. They are currently asking for new bugs, in order to extend the publication of new exploits a few more days."
Great (Score:4, Interesting)
um yeah (Score:5, Insightful)
Why not the Month of Oracle Database Bugs?
We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.
doesn't even make sense. They have enough to do a whole year but ask for people to send in more to extend it to a second week? Because they don't want to compromise their entire zero day horde? Sorry but I just can't take these people too seriously.
Re: (Score:1)
Bug vs. Exploit... (Score:3, Interesting)
Extending the week to two would be fine if it helps motivate Oracle to patch their software *before* someone makes these more trivially exploitable.
Re: (Score:3, Insightful)
I feel like we are caught in a .... timeloop (Score:4, Insightful)
So whatever. They had a weeks worth of exploits and they'd like some other people to pony up so they can make it two while holding on to some super-secret exploits. 7337!
Anyway, slamming on Oracle seems a little silly. Its software, there will be problems.
Re: (Score:1)
I agree with the first sentence, I completely disagree with the second.
Focusing just on one vendor does seem sort of school-yard-teasing childish. It would be nice if they had a better description than "they are the #1 star."
But the fact that software has problems does not mean that those issues shouldn't be addressed. And if public embarrassment is required to force a vendor's hand, so be it (though I'm not saying that
Re: (Score:1)
For more than 27 years, Oracle has built a reputation for delivering many of the industry's most secure solutions (http://www.oracle.com/security/)
they make themselves a target.
I agree, software has bugs. But when a marketing department tries to imply company X is immune then if somebody going to get targeted, might as well be company X in my book.
That Apple ad where "PC" is sick and "Mac" is all touching PC's snotrag pissed m
Re: (Score:2)
I sometimes wonder whether Apple have got all 'look at us, aren't we great!' because they still to an extent can't get over the fact that they have a reasonably robust OS. I think many of us suffered for many years (particularly through the MacOS 7-9 period) with an OS which would happily destroy itself without the need for any exploits or viruses. A serious day's work work in Photoshop would be enough t
Re: (Score:2)
Re: (Score:2)
I'd go so far as to say that Oracle is worse than Microsoft when it comes to responding to vulns.
Re: (Score:2)
Re:um yeah (Score:4, Interesting)
This is a group of (or singular) kiddies who want to make Oracle look bad. That's fine, and Oracle is a big company that I'm sure can take care of itself (C&D paperwork is probably burning out toner cartriges by the gross at Oracle HQ as we speak). My concern is that folks that are good at security testing, but too young to know how to direct their efforts constructively are going to destroy their fledgling careers before they get started. Many such bright kids these days assume that they'll make a name for themselves, and then the consulting bucks will roll in. Problem is that the wrong kind of press can lead to SOME work, but far less than you would have gotten by building a reputation in the industry through the quality of your work and references.
As with security, in the job/consulting world social engineering is often a better approach than trying to pick the lock on the front-door.
Re: (Score:3, Insightful)
I was going to mod this up, but I thought I'd post instead. Oracle database work is my livelyhood. Oracle makes no qualms about the number of bugs they have. Many of them are posted for all to see on their MetaLink support site. Many of them are not public for security reasons - and well they should be.
I've found several Oracle bugs in my dealings with the software. I create a reproduceable test-case and send it to them. They always respond with 1) this is a known bug, and it's bug #nnn; or 2) bug reproduc
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
"worrying about "breaking something critical" is not a good excuse"
Tell me, if your data was tied up in an [Oracle] database (and really, any database could be replaced between the [] for this question) and that data was key to your business processes - now we're talking about multi-billion $$$ corporations whose data is their livelyhood - and Oracle were to release a patch and all of a sudden their data started corrupting or simply stopped working. You don't call that a good excuse???
Sorry, that doesn'
Re: (Score:2)
I used work as an Oracle dba for a blue chip company and I find their service levels ludicrous.
Re: (Score:3, Insightful)
Sir, I have a car to sell you. There have been a number of customers killed in it, but I will not tell you why, until I get around to fixing the problem.
No, it's not. If I have an Or
Re: (Score:2)
Well, that's one side of the full disclosure debate. The other side, of course, is that some vendors once had even worse reputations for fixing security vulnerabilities than they currently do. Full disclosure evolved in part as a means of holding their feet to the fire. As far as I can tell, the jury is still out on exactly how effective full disclosure is. It's certain that vulnerabilities that are being actively exploited can still remain unpatched for an
Re: (Score:2)
How much you care to bet that this hacker has a lot of Oracle stock shorted? Release the big 0-day exploits first, see the stock drop like a rock and cover on the short. Then pick it up in a little as it slowly rebounds and make more.
One week, two weeks, the timeframe doesn't matter. It just has to be enough to make an event out of it.
Re: (Score:2)
Re: (Score:2)
a scramble to fix bugs is costly, every major customer getting wtfpwned in a single month is MUCH more costly.
Fishing expedition? (Score:2)
0-day (Score:5, Funny)
Re: (Score:1)
Oracle is unbreakable (Score:4, Funny)
Next (Score:5, Funny)
Re:Next (Score:4, Funny)
No sure what is being achieved here (Score:3, Insightful)
Its been 1 year with no known exploits in SQL Server 2005 (zero in the product lifetime)
http://blogs.technet.com/security/archive/2006/11
Re: (Score:2)
No kidding?! (Score:2, Interesting)
why don't (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Couldn't they have done this a year ago? (Score:3, Interesting)
The final CPU for the 8.1.7.4 database release comes out in January. It's highly unlikely that anything revealed in this effort will be fixed for 8.1.7.4.
That's an important release... it's the last one (that's supported) that will talk to Oracle 7 or early v8 databases (as a client). My company has thousands of win32 clients rolled out, and a fair number of servers supporting some critical apps (think Peoplesoft).
8.1.7.4 was a great release. Small, not a lot of cruft. I wish it (and we) weren't hanging in the breeze. DB2 customers are lucky for their long support.
Discovered in our DB class (Score:3, Interesting)
This query:
select ordid, lineno, orderdate
, descrip "Description"
, total
from ord natural join item natural join product
is evaluated incorrectly in Oracle 10g (rel. 10.2.0.1).
Compare its output with the correct results generated by this query:
select ordid, lineno, orderdate
, descrip "Description"
, total
from item natural join product natural join ord
or this:
select ordid, lineno, orderdate
, descrip "Description"
, total
from ord natural join (item natural join product)
or this:
select ordid, lineno, orderdate
, prodid
, descrip "Description"
, total
from ord natural join item natural join product
This solution:
select ordid, lineno, orderdate
, descrip "Description"
, total
from (ord natural join item) natural join product
does not work either. The optimizer insists on doing a cartesian product between ORD and PRODUCT.
This is a new bug. It does not exist in Oracle 9i, which evaluates all queries correctly.
Natural joins broken in Oracle 10g (Score:1)
Re: (Score:1)
Re: (Score:2)
FUD alert (Score:2)
Whilst some parts of the Oracle Server can be exposed to clients, in my experience in Oracle (for 10 years) generally a back end Oracle Server is hidden so far within the data centre behind so many firewalls that it would be hard to get near it.
What causes issues is that generally Oracle userids and passwords are stored in freetext somewhere in order to access the database by an application. Thi
Check the Copyright - We Missed It... (Score:3)
Must have been for 7i. Bet the response from Oracle will be something along the line of upgrade to 10g.
Bah (Score:2)