LAS VEGAS -- In recent years, security guru David Litchfield has focused much of his Black Hat stage time on database giant Oracle Corp. and Oracle database flaws. This time around, however, he set his sights on 20-plus vulnerabilities in IBM's Informix family of database products.
During the opening day of Black Hat USA 2006 Wednesday, Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd., demonstrated how attackers could exploit the Informix security holes to create malicious files and libraries, gain database administrator (DBA)-level privileges, access sensitive data and cause a denial of service. He said the flaws illustrate the growing perils of database security in general and that IT shops must pay more attention to database security.
Litchfield said he'll release advisories explaining the flaws in greater detail later Wednesday and Thursday, but other vulnerability watchdogs have already started posting their own advisories. Danish vulnerability clearinghouse Secunia, for example, issued an advisory describing approximately 16 flaws and credited Litchfield and his team with the discovery.
The vulnerabilities affect IBM Informix versions 7.3, 9.4, and 10.0.
The good news, Litchfield said, is that IBM has already addressed the flaws in versions 7.31.xD9, 9.40.xC8, or 10.00.xC4. Unlike his often strained exchanges with Oracle, Litchfield, said IBM has been responsive.
For a time during the 1990s, Informix was the No. 2 database system after Oracle, Litchfield noted. IBM acquired Informix in 2001.
While the Informix problems have been addressed, Litchfield said they point to a larger issue: Database flaws are pervasive throughout the industry. He again used Oracle as an example, noting how the database giant has fixed more than 100 serious flaws but has yet to address another 400-plus vulnerabilities, which is the estimated number of unpatched flaws according to his work and that of other researchers.
Database attacks, he said, "offer the biggest potential for fraudulent activity and damage to companies' reputations and customer confidence." The long string of data breaches of the past year and a half, he said, are proof of this.
"The database attacks are out there and these data breaches show it," he said. "They just aren't noticed at the time."
While the best thing Informix customers can do is install the updated versions, Litchfield said there are other steps they should be taking to protect their systems. Priority one, he said, is to practice the policy of least privilege.