Oracle works to patch rash of security holes

News

Oracle works to patch rash of security holes

Cliff Saran

Oracle has yet to release patches for multiple security holes in its software.

As Computer Weekly went to press, the software company said it would release patches for the flaws shortly, but it did not reveal any details about the nature of the problems. A security company has claimed it alerted Oracle to the problems in January.

NGS Software said it identified 34 new holes in Oracle software, which range from buffer overflow attacks to SQL insertion techniques for gaining access to the Oracle database engine.

David Litchfield, managing director of NGS Software, declined to give further details of the security flaws before Oracle had released the patches to avoid aiding hackers.

Litchfield said he informed Oracle of the flaws in January and he expected the patches to be ready by the time of the BlackHat security conference in Las Vegas last month.

In a statement concerning the security holes, Oracle said, "When software security flaws are discovered, Oracle responds as quickly as possible with patches and workarounds to help protect information secured by customers in Oracle-based information systems."

At the time of writing, Oracle had not issued the patches - eight months since it was first alerted.

Litchfield warned users to avoid tinkering with their database to improve security until Oracle released the patches. Once the patches are released, users should first install them on non-production systems, he said.


How hackers can breach firewalls

According to David Litchfield, managing director of NGS Software, too many users rely on a firewall to protect their IT.

But as the firewall needs to allow access to applications such as databases, a hacker could still gain entry to a corporate system by using a SQL injection attack, which cannot be stopped by a firewall. Litchfield said users needed to look at all the components of their network - from firewalls to applications - when considering IT security.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Read More

  • RELATED CONTENT FROM THE TECHTARGET NETWORK

    • Researchers begin analyzing Black Hole exploit kit revisions
    • Researchers begin analyzing Black Hole exploit kit revisions
    • Amid SSL security issues, enterprises face many problems, few answers
    • Critical Patch Updates (CPUs) are typically followed by reports from security researchers of flaws not being fixed as advertised. The Redwood Shores, Calif.-based vendor has also been accused of sitting on vulnerabilities that are more than a year old, and of releasing patch bulletins that are hopelessly difficult to decipher. That criticism will likely continue after the next CPU is released July 18.

      John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, sat down with SearchSecurity.com recently to discuss the criticism and what Oracle is trying to do about it.

      In this Q&A, they admit a vast array of platforms and mountains of source code can make for some patching mistakes, but they don't necessarily agree with some of the flaw findings independent researchers release to the public.">Oracle owns up to patching problems

    • Critical Patch Updates (CPUs) are typically followed by reports from security researchers of flaws not being fixed as advertised. The Redwood Shores, Calif.-based vendor has also been accused of sitting on vulnerabilities that are more than a year old, and of releasing patch bulletins that are hopelessly difficult to decipher. That criticism will likely continue after the next CPU is released July 18.

      John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, sat down with SearchSecurity.com recently to discuss the criticism and what Oracle is trying to do about it.

      In this Q&A, they admit a vast array of platforms and mountains of source code can make for some patching mistakes, but they don't necessarily agree with some of the flaw findings independent researchers release to the public.">Oracle owns up to patching problems

 

COMMENTS powered by Disqus  //  Commenting policy