January 25, 2006 11:00 PM PST
Oracle critiqued again over patching speed
- Related Stories
Gartner: Oracle no longer a bastion of securityJanuary 24, 2006
Oracle to 'Fortify' its source codeDecember 20, 2005
Halloween treat for Oracle: A database wormNovember 1, 2005
Flaw hunters pick holes in Oracle patchesOctober 27, 2005
Oracle dragging heels on unfixed flaws, researcher saysJuly 19, 2005
Bug hunter David Litchfield on Wednesday provided limited details on a new, unpatched security flaw in Oracle software. The problem lies in the PLSQL Gateway, a component of the Oracle Internet Application Server, the Oracle Application Server and the Oracle HTTP Server, he said in an e-mail to the BugTraq mailing list. Litchfield is co-founder of U.K.-based Next Generation Security Software and one of Oracle's most vocal critics.
The flaw can be exploited by an attacker to gain full administrator-level control of a database server through a Web server, Litchfield wrote. He provides a workaround in the mail so Oracle users can protect themselves against attacks. The flaw was reported to Oracle on Oct. 26. Litchfield had hoped that Oracle would provide a fix or a workaround on its recent patch release day. "They failed to do so," he wrote.