• STOCKTALK
• POLITICS
• PASTIMES

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor.  We ask that you disable ad blocking while on Silicon Investor in the best interests of our community.  If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : How high will Microsoft fly? -- Ignore unavailable to you. Want to Upgrade?

---

To: alydar who wrote (63856) 12/24/2001 5:31:25 PM From: DiViT   Read Replies (1) | Respond to of 74651   "orcl's database has proved to be secure" - Message #63856 from blisenko at Dec 21, 2001 9:01 AM Here's an interesting article for you. I find it interesting, that they want to keep the exploits quiet until the patch is available... The very same day that Ellison boasted that no one could break into Oracle, David Litchfield of NGSSoftware found several exploitable vulnerabilities in the Oracle 9i Application Server. Ironic, huh? During an impromptu gathering at the recent Blackhat Security Briefings in Amsterdam, I watched him exploit 9iAS to remotely create an administrative user on the server. I also saw examples of unchecked buffers where overflows could be used to run other arbitrary code on the box. By the end of the demonstration, he covered four exploits against 9iAS that could allow an attacker to gain remote root. The question is not if you can break in -- it is how one will choose to do so. Of course, Mr. Litchfield advised Oracle of these issues, and the company is currently working to patch the problems. He says he will not release details of the vulnerabilities until Oracle has had a chance to fix them and publish an official patch, which should be sometime in the very near future. I tried to check Oracle's Technet site to see if they had any information available on the patches, but the Web site was down for part of the weekend. So, maybe Oracle has figured out how to make something "unbreakable"-- make it "unreachable." Interacting with systems as if they are truly unbreakable takes away from security-in-depth, and that is really what I am worried about in all of this. If people think that they are safe behind an impenetrable wall, they are not very likely to build up defenses beyond that point. Break through the wall, or simply go around it, and you have free reign of the castle grounds. When you break into 9iAS, you not only own it, you own everything that it is protecting. Furthermore, the implications of owning a box that is trusted by all the replication partners or clusters in the enterprise are far reaching. If you want to move your mail to a database server or deploy applications on redundant clusters, then go for it -- but do so with your eyes open and employ different layers of security along the way. Don't put all of your bits in one basket... Because when the feces hits the oscillator and you find out exactly what really can be broken, you might also find your employment contract included in the list. securityfocus.com

Home

Mail

Hot

SubjectMarks

PeopleMarks

Keepers

Settings

Terms Of Use

Contact Us

Copyright/IP Policy

Privacy Policy

About Us

FAQ

Advertise on SI

Change Ad ConsentDo not sell my data

© 2025 Knight Sac Media.  Data provided by Twelve Data, Alpha Vantage, and CityFALCON News