Oracle CSO Online Interview

My interview with CSO Online became available over the weekend. It discusses vendor trust and information security implications of the issues with password security in the Oracle database. You can read more about it here. Thanks to CSO Online for thinking of us and including us in the article.

Oracle Critical Patches for July 2008

Oracle has released their set of critical patches for July 2008. These fix multiple issues across several product lines. Potential impact against unpatched systems include remote system access (as root), privilege escalation, Denial of Service issues and information leakage. If you are running any of the following products you should visit Oracle’s advisory and begin the patching process.

Affected products:

    BEA WebLogic Express 7.x thru 10.x
    BEA WebLogic Server 6.x thru 10.x
    Oracle Application Server 10g
    Oracle Database 10.x and 11.x
    Oracle E-Business Suite 11i and 12.x
    Oracle Enterprise Manager 10.x
    Oracle Hyperion Business Intelligence Plus 9.x
    Oracle Hyperion Performance Suite 8.x
    Oracle PeopleSoft Enterprise Customer Relationship Management (CRM) 9.x
    Oracle PeopleSoft Enterprise Tools 8.x
    Oracle Times-Ten In-Memory Database 7.x
    Oracle9i Application Server
    Oracle9i Database Enterprise Edition and Database Standard Edition

Original Advisory:

Critical Oracle Vulnerabilities

Multiple vulnerabilities have been reported in the Oracle products listed below. The packages SDO_GEOM, SDO_IDX, and SDO_UTIL do not properly sanitize input, this can allow the injection of arbitrary SQL code. Additionally there are issues with the DBMS_STATS_INTERNAL package. These issues could allow an attacker to gain DBA privileges. There are additional issues that remain unspecified. See Oracle’s original advisory at:

* Oracle Database 11g, version
* Oracle Database 10g Release 2, versions,
* Oracle Database 10g, version
* Oracle Database 9i Release 2, versions,
* Oracle Application Server 10g Release 3 (10.1.3), versions,
* Oracle Application Server 10g Release 2 (10.1.2), versions,,
* Oracle Application Server 10g (9.0.4), version
* Oracle Collaboration Suite 10g, version 10.1.2
* Oracle E-Business Suite Release 12, version 12.0.4
* Oracle E-Business Suite Release 11i, version
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16, 8.49.09
* Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0
* Oracle Siebel SimBuilder versions 7.8.2, 7.8.5

Oracle Critical Patches for January 2008

As apart of their ongoing security program, Oracle has released their latest round of critical patches. Most versions of Oracle from 9i through 12 are affected in some manner and the vulnerabilities are unspecified. For full details visit their original advisory at:

Quicktime PoC

Apple released an update to Quicktime yesterday, and attackers wasted no time coming up with a new exploit for it. Already in the public is a proof of concept exploit for Quicktime It seems that Apple still hasn’t fixed the root cause of the RTSP vulnerability.

In other news, a survey over the past year on Oracle admins found that only 1 in 3 Oracle database admins bother to patch their databases. 68% of the admins admitted to never applying any patches at all. If that is true, it’s rather frightening.

Oracle Prerelease Info, Tivoli Bof

There’s a vulnerability in Oracle Siebel SimBuilder that could allow for remote system compromise. This vulnerability is related to a vulnerability in NCTAudioFile2.dll. The vulnerability affects version version 7.8.5 build 2635. Other version have not been tested so they may be vulnerable as well. Users should disable the affected ActiveX control. If you are affected by this and would like more information please feel free to contact us.
Tivoli Storage Manager Express is vulnerable to a heap based buffer overflow. This can be exploited by a malicious user on the network to cause code execution under the SYSTEM user. Versions of the software prior to are affected. Administrators of this software should apply the updates available at
Also, Oracle will be releasing critical patch updates Tuesday, January 15th. Several critical vulnerabilities in database software and application servers are expected to be announced. We will provide more details as they are made available.

A Couple of Interesting Developments

First, a couple of new tools are available specifically geared at cracking Oracle 11g password hashes. These are specifically aimed at attacking the newest features that 11g introduces to better protect the passwords. They also have some short cuts for those folks still making the old style DES passwords available (likely for backwards compatibility with older apps or uses). Essentially, these new mechanisms are slower than old hash attacks, but are still effective. In today’s world of computational power and bot-net distributed password cracking capability, it is pretty darn safe to assume that if the attacker can get the hash – they can get the password.

Another issue that is likely to be an annoyance for some folks is that a new remote Denial of Service attack has been identified in Ubuntu 6.06 DHCP server. While the attacker can’t really gain access to the system using it, they can replace the dead DHCP server with their own, which could include malicious entries and other annoyances. This DHCP server is popular in many cyber cafes I have visited – particularly outside of the US. Just another reminder that you have to pay attention to network connectivity. It might seem like ubiquitous wireless access is a boon, but without the capability to trust the network you use, you have little reason to trust the content you receive!  — Just a reminder!