Oracle plugs six-pack of flaws

ToshiroOC · Feb 19, 2003, 07:54 AM

Next-Generation Security Software, the British security firm that discovered the bug that allowed the Slammer worm to proliferate last month, has discovered a six-pack of flaws in Oracle's newest database product.

Redwood Shores, Calif.-based Oracle released patches for the six vulnerabilities--four deemed critical and two merely serious--last week.

Oracle has tried to structure the way it releases patches for its products, so that customers aren't inundated with fixes, said Mary-Ann Davidson, the company's chief security officer.

The current flaws include four critical buffer overflows in various components of Oracle's database server software, including its latest Oracle 9i Release 2. Buffer overflows, or overruns, occur when an application does not handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application. Each of the four flaws could allow a malicious user--someone who already has some access to the database--to gain complete control of the server.

Two other vulnerabilities could use other Oracle components to cause a denial-of-service attack.

Davidson said that six flaws, in five advisories, may sound a daunting number but that Oracle decided that separating the alerts made more sense than releasing a single combined notification, a strategy occasionally used by Microsoft.

--By Robert Lemos, source: news.com (CNET)

Article can be read here.

Feb 19, 2003, 07:54 AM	#1
ToshiroOC Unbiased. Join Date: Jun 2002 Posts: 4,812 Rep Power: 0	Oracle plugs six-pack of flaws Next-Generation Security Software, the British security firm that discovered the bug that allowed the Slammer worm to proliferate last month, has discovered a six-pack of flaws in Oracle's newest database product. Redwood Shores, Calif.-based Oracle released patches for the six vulnerabilities--four deemed critical and two merely serious--last week. Oracle has tried to structure the way it releases patches for its products, so that customers aren't inundated with fixes, said Mary-Ann Davidson, the company's chief security officer. The current flaws include four critical buffer overflows in various components of Oracle's database server software, including its latest Oracle 9i Release 2. Buffer overflows, or overruns, occur when an application does not handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application. Each of the four flaws could allow a malicious user--someone who already has some access to the database--to gain complete control of the server. Two other vulnerabilities could use other Oracle components to cause a denial-of-service attack. Davidson said that six flaws, in five advisories, may sound a daunting number but that Oracle decided that separating the alerts made more sense than releasing a single combined notification, a strategy occasionally used by Microsoft. --By Robert Lemos, source: news.com (CNET) Article can be read here.