Researcher: Oracle failed to patch critical flaw

By Bill Brenner, Senior News Writer 27 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp.'s most recent patch release failed to address a critical flaw that attackers could exploit to access "excluded" packages and procedures.

David Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd., issued that warning and offered a workaround this week via the BugTraq forum operated by Cupertino, Calif.-based AV giant Symantec Corp.

I don't think leaving their customers vulnerable for another three months (or perhaps even longer) until the next [critical patch update] is reasonable, especially when this bug is so easy to fix. David Litchfield NGS Software

"There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS and the Oracle HTTP Server, that allows attackers to bypass the PLSQLExclusion list and gain access to 'excluded' packages and procedures," Litchfield said. "This can be exploited by an attacker to gain full DBA control of the back-end database server through the Web server."

He said the flaw was reported to Oracle Oct. 26 and that on Nov. 7, NGS alerted the UK's National Infrastructure Security Co-ordination Centre (NISCC). "It was hoped that due to the severity of the problem that Oracle would release a fix or a workaround for this in the January 2006 Critical Patch Update," he said. But the vendor "failed to do so."

He added, "I don't think leaving their customers vulnerable for another three months (or perhaps even longer) until the next [critical patch update] is reasonable, especially when this bug is so easy to fix and easy to work around.

We are disappointed... Information provided in a workaround may be used to develop exploits for the identified vulnerability. Oracle (in a statement issued to SearchSecurity.com)

"Again, I urge all Oracle customers to get on the phone to Oracle and demand the respect you paid for."

Oracle e-mailed SearchSecurity.com a statement Thursday afternoon, saying it is currently developing a patch that addresses the vulnerability and intends to issue it in a future quarterly patch update.

"We are disappointed that Litchfield, in an apparent violation of NGS Software's disclosure policy, published a workaround for the vulnerability," Oracle said. "Information provided in a workaround may be used to develop exploits for the identified vulnerability. Additionally, Oracle has determined that the workaround provided by Litchfield can break application functionality on certain systems."

Full details of that workaround can be found in the BugTraq listing. But Danish vulnerability clearinghouse Secunia described it this way in an advisory: "Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities."

This isn't the first time that Litchfield has criticized Oracle's security policies. He has taken the Redwood Shores, Calif.-based database giant to task on several occasions in recent years. He did so following Oracle's July 2005 patch release, when he said some of the fixes didn't actually work. He offered similar criticism after Oracle's October 2005 patching cycle.

Tags: Database Security Management,  Web Application Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Authentication and Access Control,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary