Forgot your password?
typodupeerror
Security Businesses Databases Oracle Programming Software IT

Emergency Workaround For Oracle 0-Day 152

Posted by kdawson
from the maybe-somebody-shorted-the-stock dept.
Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.
This discussion has been archived. No new comments can be posted.

Emergency Workaround For Oracle 0-Day

Comments Filter:
  • Re:I forgot (Score:2, Insightful)

    by snl2587 (1177409) on Tuesday July 29, 2008 @11:18PM (#24396307)
    What a surprise! They were exploited by an actual hacker. Whodathunkit?
  • by SlashWombat (1227578) on Tuesday July 29, 2008 @11:38PM (#24396475)
    I would have thought that an exploit like this would be worth a huge amount of money ... For Oracle, but now for the great pool of unwashed out there.

    It strikes me that if Oracle (and other HUGE software vendors) were to offer substantial cash incentives to find holes as gaping as this one obviously is, that the exploit would have been reported directly to Oracle. By substantial i mean in excess of 100,000 euros. (I would have said US dollars, but that currency isn't worth much any more!)
  • by Anonymous Coward on Tuesday July 29, 2008 @11:44PM (#24396531)

    i just tried to google mod_wl and the first page
    of the results do not clearly tell me what mod_wl
    even does. i do not know a single person who uses
    it and i work a large ISP.

    this has nothing to do with oracle's database and
    i think slashdot editors really need to stop with
    these silly headlines designed to get me to click
    on stories. grow up! make a profit without deceit!

    frankly, this post about this overflow is such
    a non issue for me it is funny.

    can anyone explain what in the heck mod_wl even does?

  • by Anonymous Coward on Tuesday July 29, 2008 @11:50PM (#24396565)

    Substantial improvement in security and software quality will require vendors to take responsibility for their bugs. The most likely way to achieve this, is to force actual losses upon their customers, who will then complain effectively to the vendors.

  • by InlawBiker (1124825) on Wednesday July 30, 2008 @12:25AM (#24396863)

    "Whoever published the vulnerability and matching exploit code did not contact Oracle first."

    It's interesting to me that this is a tag in the OP. I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it. For the most part it's people pushing software to its limits that find the bugs. BUT - the more business is done on the Internet the more valuable exploits become.

    I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.

    Reporting to vendors is the right thing to do, but if there's one thing I've learned in my life it's that when money and ethics collide money almost always wins.

  • by Capt. Skinny (969540) on Wednesday July 30, 2008 @12:49AM (#24397061)
    One man's unrefined ruffianity is another man's unconscious vernacular.

    Moving to a university research lab after five years in IT at a paper mill in East Bumville, I really had to make a conscious effort to unlearn the conversational vernacular that I had picked up over the last few years.

    Oh, and I believe the correct expression is "Do you kiss your mother with that mouth?"
  • by John Whitley (6067) on Wednesday July 30, 2008 @01:01AM (#24397115) Homepage

    I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.

    No need for abstract belief; this is near certainty. Even "better", I've seen stuff that would curl your teeth that the vendor apparently knew about but remained quietly unpatched. That was in the toolset of a professional IT security testing company. Their stuff made Metasploit look like a Lego model of a battleship vs. the real thing. It's sobering knowing that tools exist that are the direct realization of the weakest link principle. With really well-thought out and easy to use UI, and backend code just as nice. Click, ownage, click, ownage... /shudder

  • Fix your grammar (Score:3, Insightful)

    by MrNaz (730548) on Wednesday July 30, 2008 @01:22AM (#24397255) Homepage

    I'd comment on the absurdity of your comment, but it's much more fun to point out to trolls that their grammar stinks.

    It's "might not have caught it", although, we all expect trolls to have the linguistic skills of neanderthals.

  • by enosys (705759) on Wednesday July 30, 2008 @01:45AM (#24397409) Homepage

    The fact that Oracle has tens of thousands of employees points to the fact that Oracle does, in fact, offer a substantial cash incentive for finding bugs like these.

    Do you mean how they pay employees and some of those employees are involved in testing and debugging? That's not the same as paying for vulnerabilities. Do those employees get a bonus for finding vulnerabilities? What about if someone who is not an employee finds a vulnerability?

    The problem is not the money, the problem is the architecture. As long as things like Oracle are written in a massive jumble of C and other low-level, unsafe languages, they will be crawling with bugs. All the money in the world isn't going to get you to a state of zero remotely exploitable flaws.

    True, but if people got paid for reporting vulnerabilities they would be more inclined to report them to Oracle.

  • by X0563511 (793323) on Wednesday July 30, 2008 @09:27AM (#24400465) Homepage Journal

    So what do you think your interpreter is made of? Somewhere, "unsafe" native code has to run.

  • by clone53421 (1310749) on Wednesday July 30, 2008 @10:17AM (#24401233) Journal

    if I go and build an application using overhead on top of more overhead, I'm building on a codebase that's had millions upon millions of hours of real-world testing. Moreover, that overhead, being one single piece of code, can easily be audited for security issues, buffer overflows, etc. None of this can be said of an application I build from scratch on top of an "unsafe" language.

    No, but it'll have less overhead. I wonder if they were concerned about performance when they designed this?

    Seriously, though: I'm not saying the application design you described doesn't have its place. In fact it's an excellent way to avoid these sort of problems if you're willing to sacrifice some flexibility and speed. In a high-performance database, though, every little bit is critical. Yes, they must hire top-notch programmers to avoid mistakes like this, but isn't that why the software package costs so much?

"Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods." -- Albert Einstein

Working...