February 18, 2003 4:39 PM PST

Oracle plugs six-pack of flaws

Related Stories

Red Hat, Oracle to certify Linux for gov't

February 12, 2003

Damage control

February 6, 2003

Guru says Oracle's 9i is indeed breakable

February 6, 2002
Next-Generation Security Software, the British security firm that discovered the bug that allowed the Slammer worm to proliferate last month, has discovered a six-pack of flaws in Oracle's newest database product.

Redwood Shores, Calif.-based Oracle released patches for the six vulnerabilities--four deemed critical and two merely serious--last week.

Oracle has tried to structure the way it releases patches for its products, so that customers aren't inundated with fixes, said Mary-Ann Davidson, the company's chief security officer.

"I always worry about whether people apply the patches," she said. "We did revise our bug handling, so we have a formula for what is big and nasty. If it's above a certain severity threshold, we can release the fix as a one-off, before we release an (entire) patch set."

The formula includes factors such as how widely used the impacted software is and what effects exploiting the flaw can have.

The current flaws include four critical buffer overflows in various components of Oracle's database server software, including its latest Oracle 9i Release 2. Buffer overflows, or overruns, occur when an application does not handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application. Each of the four flaws could allow a malicious user--someone who already has some access to the database--to gain complete control of the server.

Two other vulnerabilities could use other Oracle components to cause a denial-of-service attack.

Davidson said that six flaws, in five advisories, may sound a daunting number but that Oracle decided that separating the alerts made more sense than releasing a single combined notification, a strategy occasionally used by Microsoft.

"We aren't going to play that game," she said. "We could have bundled all of these into one alert, but we thought that would have been confusing to people."

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.