Oracle left red-faced by security flaw

Database hole revealed...

Hot on the heels of its reported weakness in its server software, Oracle has been left red-faced again today as security experts uncovered a hole in its 8i database. According to researchers at the CERT lab in Carnegie Mellon University, a buffer overflow vulnerability in its flagship database software allows hackers remote control of the database server. On a Windows machine, the flaw could also allow intruders to wrest control of the underlying operating system. Gunter Ollmann, principal consultant at ISS (Internet Security Systems) warned that the vulnerability is potentially very serious. "Anything which can give remote access to a system is not good," he pointed out. With the help of some extra code, the vulnerability allows a malicious user to take over the privileges of the TNS listener process before authentication - so no username or password is required to gain access. A standard internet firewall should protect most companies from external attackers, although Ollman warned that firms without firewall protection or with misconfigured software could be at risk. Even with a firewall, businesses remain at risk from malicious attacks within company walls. Last month ISS discovered a similar flaw in Oracle Net8, leaving users of its hugely popular 7,8 and 8i databases open to external Denial of Service (DoS) attacks. Ollman said: "It's such a large package with a tremendous amount of code. The bigger it is, the more likely it is that flaws will creep in."