ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Industry watch Toolkit

Oracle software vulnerability exposed

Stephen Shankland, CNET News.com CNet

Published: 06 Jul 2001 09:21 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Researchers have found a security hole in Oracle's 8i database program that could let an outside attacker take over the software and -- in the case of a Windows computer -- the entire system.

Researchers at Covert Labs, part of Network Associates' PGP Security group, discovered the vulnerability and ranked its risk as "high." Oracle has acknowledged the problem, fixed it in the newest 9i version of its software and issued a patch for the earlier releases.

"This is a pretty significant vulnerability for Oracle users," said Jim Magdych, security research manager for PGP Security.

The problem occurs in a part of Oracle's database software called the "listener", which handles communications between people using the database and the database itself, Magdych said. The attack works by sending more information than the software expects, a process called a "buffer overrun".

In a buffer overrun attack, the extra characters are written into the computer's memory. A clever attacker can place commands in just the right patch of memory to make the computer's chip run a program that can be used to give access to the attacker, Magdych said.

What the attacker does next varies according to what type of system has been compromised. In the case of the Oracle security hole, the attacker would have access privileges to the database itself, granting him permission to view or change any information in the database.

Oracle runs with very broad powers on a Windows system, so an attacker there would have complete control over the system, Magdych said. Oracle has narrower powers running under the Unix operating system, but the Oracle permission would be a useful foot in the door for further attacks that could lead to complete control, he said.

Covert Labs has a staff of about six scouring software commonly used on the Internet, Magdych said. Earlier this year, the team discovered several serious problems with Berkeley Internet Name Domain (BIND), widely-used software that links a computer's numerical Internet address with its URL.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
43 out of 104 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Industry watch


Company/Topic Alerts

Create a new alert from the list below:










Related Jobs

12 Month fixed Term Contract (North West)

Technology Risk Analyst, IT Security, CISM, CISSP, CISA, SSCP, London

TAM/ Technical Account Manager, German Speaker, Berkshire

Discussions

MobileDataUK MobileDataUK

Re: Dell Inspiron Mini 9 with Vodafone...

Friday 10 October 2008, 11:50 PM

6 comments
Telic Telic

MacLinux

Friday 10 October 2008, 10:34 PM

5 comments
1000215420 1000215420

Punishment & Deterrent

Friday 10 October 2008, 9:37 PM

4 comments
1000215420 1000215420

Punishment & Deterrent

Friday 10 October 2008, 9:36 PM

4 comments

View All

Featured Talkback

In association with Intel
When all is said, if Microsoft produce the best product people will buy it and thats a good thing. If people have to buy their product because no one else can produce an alternative, only because interoperability protocols are kept secret, then thats a bad thing.

By: pround

Read full story:
EU court crushes Microsoft's antitrust appeal