Version: 2008
  • On CHOW: Sexy vampire party

April 26, 2006 4:16 PM PDT

Patched Oracle database still at risk, bughunter says

By Dawn Kawamoto
Staff Writer, CNET News

  • 3 comments
Related Stories

Oracle sews up multiple security holes

 April 18, 2006

Halloween treat for Oracle: A database worm

 November 1, 2005
Oracle's latest update fails to tackle a database flaw that has already been exploited, a security researcher has warned.

Last week, the business software maker issued its quarterly Critical Patch Update, addressing more than 30 flaws in its software. However, the update for Oracle 10g Release 2 does not plug a hole that allows published attack code to run, according to a message sent to the Full Disclosure security list on Wednesday by David Litchfield, a researcher at Next Generation Security Software.

The exploit, released on the Internet last week, isn't for a flaw that Oracle patched, but for a new problem. Initially, experts believed it was for one of the patched vulnerabilities.

Intruders could still gain higher privileges on a system via the new flaw in the database's (DBMS) export extension--a component that has been a recurring source of problems, Litchfield wrote.

Other versions of 10g may also be affected, Symantec said in an alert to users of its DeepSight intelligence service.

"We strongly encourage database administrators to revoke public execute permissions for DBMS export extension until an adequate vendor-supplied patch is available for this issue," the security company advised.

Oracle was not available for comment.

Litchfield expressed frustration at Oracle's response to the problem in Oracle 10g Release 2. "This specific flaw was reported to Oracle on the 19th of February 2006," Litchfield wrote.

He went on to give details of other problems related to the issue, which he said Oracle had tried, but failed, to remedy since he first reported them in April 2004.

Security researchers have criticized Oracle for being slow to patch and for not working well with them to fix security holes. In response, Mary Ann Davidson, the business software maker's chief security officer, has said that researchers themselves can be a stumbling block to product security.

See more CNET content tagged:
David Litchfield, Oracle Corp., Oracle Application Server 10g, business software company, DBMS

Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
Because every DBA I know . . .
by JulesLt April 26, 2006 4:42 PM PDT
. . grants public export rights.
Reply to this comment
Same Story... Different Company...
by wbenton April 29, 2006 9:08 AM PDT
They are following in Microsoft's footsteps tooth and nail...

That's why this story doesn't surprise me. Quarterly patches went out the door a decade ago!!!

FWIW
Reply to this comment
this story doesn't surprise me
by alek_nedic May 6, 2007 3:00 PM PDT
http://www.analogstereo.com/mazda_miata_owners_manual.htm
(3 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Oracle Corporation (-0.14%) -0.03 21.80
Dow Jones Industrials (0.20%) 20.03 10,246.97
S&P 500 (-0.01%) -0.07 1,093.01
NASDAQ (-0.14%) -2.98 2,151.08
CNET TECH (0.21%) 3.30 1,571.59
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET