Oracle has yet to release patches for multiple security holes in its software. As Computer Weekly went to press,...
the software company said it would release patches for the flaws shortly, but it did not reveal any details about the nature of the problems. A security company has claimed it alerted Oracle to the problems in January. NGS Software said it identified 34 new holes in Oracle software, which range from buffer overflow attacks to SQL insertion techniques for gaining access to the Oracle database engine. David Litchfield, managing director of NGS Software, declined to give further details of the security flaws before Oracle had released the patches to avoid aiding hackers. Litchfield said he informed Oracle of the flaws in January and he expected the patches to be ready by the time of the BlackHat security conference in Las Vegas last month. In a statement concerning the security holes, Oracle said, "When software security flaws are discovered, Oracle responds as quickly as possible with patches and workarounds to help protect information secured by customers in Oracle-based information systems." At the time of writing, Oracle had not issued the patches - eight months since it was first alerted. Litchfield warned users to avoid tinkering with their database to improve security until Oracle released the patches. Once the patches are released, users should first install them on non-production systems, he said. How hackers can breach firewalls According to David Litchfield, managing director of NGS Software, too many users rely on a firewall to protect their IT.
But as the firewall needs to allow access to applications such as databases, a hacker could still gain entry to a corporate system by using a SQL injection attack, which cannot be stopped by a firewall. Litchfield said users needed to look at all the components of their network - from firewalls to applications - when considering IT security.