Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Social Network Not All Bad for Enterprise | Main | Preventing Data Loss with Host-based Intrusion Prevention Systems »

Oracle Lax on Latest Zero-Day Vulnerability

IDefense Labs is reporting on an unpatched vulnerability in the Oracle 10g XDB package:

Exploitation of this vulnerability allows an authenticated remote user to execute code on the underlying system in the context of the database account. Other than access to execute the vulnerable function, this vulnerability does not require any special privileges. From the database user account, an attacker can then access or modify the database and files related to its operation.

Oracle's response basically boils down to "Yea, we know, we fixed it, we'll release the patch when we get to it." Thanks, that's a big help.

Oracle doesn't have the best reputation when it comes to security and this makes it seem like they want to claim the title of most disinterested vendor when it comes to security. One way to avoid this perception is to change the patch policy. When a vulnerability is found that allows for arbitrary code execution in the database and proof of concept code is available on line, then patch as soon as possible.

Tags:      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on November 9, 2007 1:26 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/516

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net