|
|
 |
|
Join the Discussion
|
"Share your questions and tap the
knowledge of hundreds of your peers."
Mike
Chapple
|
|
|
|
|
|
|
Microsoft’s security team must be sharing a sigh of relief this week.
Two major database security vulnerabilities were announced to the public
and neither one involves SQL Server. In
fact, they both impact users of database servers produced by Microsoft’s
archrival Oracle. (For more on SQL Server security vulnerabilities, see the
article “Database
Insecurity: Securing SQL Server”
Oracle's problems were simultaneously announced by researchers at Covert
Labs, a division of Network Associates. Both concern users of Oracle
8i Standard and Enterprise editions and have potentially serious ramifications
if exploited.
The first bug, the Oracle
8i SQLNet Header Vulnerability was discovered and documented by Nishad
Herath of Covert Labs. Malicious individuals can construct packets that
exploit a design flaw in Oracle's Transparent Network Substrate (TNS) to mount a
denial-of-service attack upon on Oracle 8i installation. Through the
issuance of a malicious connection request, attackers can cause a memory
segmentation fault resulting in the termination of critical TNS services.
Covert labs assigns this flaw a "Medium" risk factor.
The second bug is a related buffer
overflow vulnerability in the Oracle 8i TNS Listener. Discovery of
this bug is also credited to Nishad Herath, along with his colleague Brock
Teillier. They assess this vulnerability as more serious than it's
predecessor, assigning it a "High" risk factor. The reason for
this is quite simple -- successful exploitation of this vulnerability allows a
malicious intruder to execute arbitrary code on the Oracle server with local
system privileges on a Windows system. In most default Unix installations,
the attacker will gain database administrator rights.
Representatives at Oracle's headquarters did not
immediately respond to requests for comment on these security holes but it's
apparent that the corporation is aware of the issues. In fact, they
released bug reports detailing the flaws and offering solutions. These
items are posted on Oracle's metalink site
which is restricted to registered owners of Oracle products.
If you're using an Oracle platform to manage your data, I
strongly recommend that you consider implementing these bug fixes
immediately. Historically speaking, announcements of security flaws in
popular products are often followed by a series of attacks by "script
kiddies" looking to earn their stripes within the computer
underground. It's definitely worth a few minutes of your time to ensure
that you're not the target of a security breach that leaves you shaking your
head and musing "If only I had applied that patch in time..." Or
maybe you recall the old adage: "A patch in time saves nine!"
(Sorry, I couldn't resist!)
Be sure to check back weekly as we provide you with new
insights into the world of databases. If you'd like a weekly reminder when
new articles are posted to the About Databases site, be
sure to subscribe to our newsletter.
|
| 