Trick or Treat ................ MFL

http://www.eweek.com/article2/0,1895,1881877,00.asp wrote:

"Oracle has been a focus of criticism in recent months, as independent security researchers such as Kornbrust and Next Generation Security Software Ltd.'s David Litchfield have complained that the company's database software is riddled with security holes and that Oracle takes too long to issue patches for the problems.

A recent paper released by researchers at The SANS Institute, of Bethesda, Md., revealed weaknesses in the password protection mechanism in Oracle's databases. In just the latest example, Kornbrust said he passed details to Oracle last week on more than 250 SQL injection vulnerabilities in the company's 10g Release 1 database server. Kornbrust said he found the SQL injection holes in just 6 hours using automated vulnerability scanning tools to analyze about 9,000 software packages and functions that are part of 10g Release 1.

The holes are new and are not covered by fixes released in the latest Critical Patch Update. Exploit code that Kornbrust developed for some of the holes gives users basic ownership rights to vulnerable Oracle databases, a critical security hole. Up to 30 percent of the new holes may allow database users to elevate their privileges, Kornbrust said." Received on Tue Apr 25 2006 - 03:02:32 CDT