News

Sybase patches three security holes

Sybase has issued a security patch for three vulnerabilities affecting the latest versions of its database software. The vulnerabilities allow a malicious hacker to gain control of a Sybase server and run arbitrary code on it.

Sybase said it was unaware of any systems that have been affected by the problem, but advised customers to download and install the patches posted on its Web site last week.

The security holes can be used to create a "buffer overflow", a memory problem frequently exploited in cyber attacks. The holes affect users running the latest versions of its Adaptive Server database, versions 12.0 and 12.5, on both Unix and Windows platforms, said application security company Application Security, which discovered the problem.

Sybase senior marketing manager Tom Traubitz said the vulnerabilities were "predominantly hypothetical" and could be exploited only by those who are able to log into a system as a "trusted user."

Application Security, which called the vulnerabilities "high risk," disagreed.
"A non-privileged user can execute these things; we stand by that," insisted Stephen Grey, an Application Security marketing manager.

One exploit uses the command "DROP DATABASE" which, according to information on Application Security's Web site, should only be run by privileged users. However if a non-privileged user runs this command, the buffer overflow occurs before any access control takes place, meaning that the user could exploit this security hole to take complete control of a Sybase server.

Application Security has posted a description of the vulnerabilities on its Web site at www.appsecinc.com/resources/alerts/sybase

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy