Multiple flaws found in Oracle database software
- 04 August, 2004 07:50
Oracle will soon issue patches to fix 34 different vulnerabilities in its database software that were disclosed to it early this year by a British bug hunter.
The flaws, a majority of which are serious, affect both existing and previous versions of Oracle's database technology, said David Litchfield, managing director of Next Generation Security Software.
"They include buffer overflows, SQL injection issues and a whole range of other minor issues," said Litchfield, who discovered the flaws. He said that he reported them to Oracle in January and February.
"Some of them can be exploited without a user ID and password, while others require them," Litchfield said. Nearly 90 percent of the flaws allow attackers to potentially gain complete administrative control of vulnerable database servers, he said.
Oracle confirmed the existence of the flaws, which were discussed publicly at last week's Black Hat security conference in Las Vegas, but did not offer any further comment. In an e-mailed statement, a company spokeswoman said that Oracle had fixed the flaws and would issue a security alert "soon."
According to Litchfield, some of the vulnerabilities are easy to exploit, whereas others require attackers to have fairly detailed technology skills. He said that his company has exploits available that take advantage of the flaws but that it has no plans to release them publicly.
Litchfield also claimed that Oracle told him patches were available to fix the problems a few months ago. But the company appears to be waiting for an updated patching process to be ready before releasing the fixes, he said.
"It is my opinion that they could have run the old patching process up until the time that the new patching procedure was ready. There really is no point in exposing users to unnecessary risks," he said.
Litchfield and his brother, Michael Litchfield, have discovered several previous vulnerabilities in Oracle software, including 20 on the very day the database giant launched its "Unbreakable" marketing campaign.
The discovery of such flaws by people who go specifically looking for them should come as no surprise given the size and complexity of today's application software, said Bruce Schneier, co-founder and chief technology officer of Counterpane Internet Security.
"This could happen to anyone. It tends to happen to Microsoft a lot," Schneier said. "The bugs are already there. All you can do is react when somebody points them out."
The companies that make it their mission to discover such flaws are often driven by a "bunch of motivations," Schneier said.
"Some companies make their name finding bugs," he said. "Some academics do it because they are trying to do research projects. People who find the stuff have their motives, and it's not all altruism."