The Register® — Biting the hand that feeds IT

Feeds

Zero-day bug hangs over Oracle database

Security researchers warn that Oracle 10g databases may be open to attack as a result of an unpatched vulnerability. A buffer-overflow flaw in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure allows hackers to load malware onto targeted systems. The vulnerability is reported to affect Oracle database version 10g Release 2, …

This topic is closed for new posts.
Jason Evans
Thumb Down

Great attitude guys!

So with all the flack that MS got from Oracle regarding security (including Oracle's Unbreakable campaign about 6 years ago), I think it's totally outrageous that Oracle's answer to fixing a security flaw is 'Yes we have resolved the problem, but we're not releasing the fix until next year.' - yeah, that's the way to win confidence in your customers lads!

So whilst admins are waiting for the fix, they will have plenty of anxious moments wondering if they are at risk from this bug.

At least MS has gotten their act together and release security patches often. Even if they do still get negative opinions about their software, at least they have listened to customer needs regarding software security.

Anonymous Coward
Alert

NHS Spine upgrade to Oracle 10g

Apparently, according to....

http://www.e-health-insider.com/news/3176/spine_to_be_shut_for_two_day_'refresh'

That link, the NHS are due to upgrade the SPINE to Oracle 10g at the end of this month.

That could be fun for privacy bods!

Rob W

I'm not sure I want a "rushed" patch....

Yes, 2 months is a long time to wait for a patch. But I'm willing to wait.

Oracle has a much higher stability requirement than, say, Microsoft OS patches, or various web browsers. They have rigid patch release cycles because there are lots of steps involved in coding, checking, testing, etc. patches before they can make a release. They simply cannot hack a quick fix together in a day or two and throw it out there.

And frankly, how big of a risk is this? The Oracle database servers on projects that I've run would never be exposed to external access. And to EXPLOIT this vulnerability (to install malware on the server) the attacker must already be signed into the database... aren't you basically screwed anyway if you're letting unknown users get that far?

Fraser

Ok...

I reckon that we should start a good ol' fashioned my database is better than your database row, a la the MacOS, Windows, Linux rows.

Here are my starters for ten:

Oracle sucks, their security is bollox, you want to get yourself SQL Server, a modern database cheaper faster better.

Or

Oracle sucks, you want to get yourself DB2, runs on almost all hardware not like that sucky SQL server

Or

DB2? An old database for old men, who cares if it runs on Z OS.

Or

SQL Server? WFT? Why would you get a database that only runs on Winblows?

amanfromMars
Mars

Zero dDay Opportunities.

"And to EXPLOIT this vulnerability (to install malware on the server) the attacker must already be signed into the database... aren't you basically screwed anyway if you're letting unknown users get that far?"

Who is saying that the users are unknown? They could be known unknowns that you didn't know you knew.

And to EXPLOIT the Zero dDay Opportunities, ignore them as malware at your Peril for who would be to say that it is not palware...... which would be perfectly consistent with known unknowns having got that far.

Pause....Ponder.... Promulgate Privately Pleases Parallel P.Irate* Programmers.

* Pretty Irate

Alan Donaly
Thumb Up

DB holy war

No I can't t o o d u l l who cares.

Anonymous Coward
Coat

Who gives a monkeys ?

Must be a slow news day at El Reg ...

there is a bug - you can't get a patch until January - oh dear what can I do then ?

Answer : Nothing - so I can't get worked up about it.

Talk about alarmist nonsense.

This topic is closed for new posts.