Emergency Workaround For Oracle 0-Day 152
Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.
Re:I forgot (Score:2, Insightful)
perhaps if they paid ... (Score:5, Insightful)
It strikes me that if Oracle (and other HUGE software vendors) were to offer substantial cash incentives to find holes as gaping as this one obviously is, that the exploit would have been reported directly to Oracle. By substantial i mean in excess of 100,000 euros. (I would have said US dollars, but that currency isn't worth much any more!)
what in the world is mod_wl do? (Score:4, Insightful)
i just tried to google mod_wl and the first page
of the results do not clearly tell me what mod_wl
even does. i do not know a single person who uses
it and i work a large ISP.
this has nothing to do with oracle's database and
i think slashdot editors really need to stop with
these silly headlines designed to get me to click
on stories. grow up! make a profit without deceit!
frankly, this post about this overflow is such
a non issue for me it is funny.
can anyone explain what in the heck mod_wl even does?
Applying Schneier's dictum (Score:0, Insightful)
Substantial improvement in security and software quality will require vendors to take responsibility for their bugs. The most likely way to achieve this, is to force actual losses upon their customers, who will then complain effectively to the vendors.
"Did not contact Oracle first." (Score:4, Insightful)
"Whoever published the vulnerability and matching exploit code did not contact Oracle first."
It's interesting to me that this is a tag in the OP. I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it. For the most part it's people pushing software to its limits that find the bugs. BUT - the more business is done on the Internet the more valuable exploits become.
I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.
Reporting to vendors is the right thing to do, but if there's one thing I've learned in my life it's that when money and ethics collide money almost always wins.
One man's ruffianity... (Score:5, Insightful)
Moving to a university research lab after five years in IT at a paper mill in East Bumville, I really had to make a conscious effort to unlearn the conversational vernacular that I had picked up over the last few years.
Oh, and I believe the correct expression is "Do you kiss your mother with that mouth?"
Re:"Did not contact Oracle first." (Score:3, Insightful)
I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.
No need for abstract belief; this is near certainty. Even "better", I've seen stuff that would curl your teeth that the vendor apparently knew about but remained quietly unpatched. That was in the toolset of a professional IT security testing company. Their stuff made Metasploit look like a Lego model of a battleship vs. the real thing. It's sobering knowing that tools exist that are the direct realization of the weakest link principle. With really well-thought out and easy to use UI, and backend code just as nice. Click, ownage, click, ownage... /shudder
Fix your grammar (Score:3, Insightful)
I'd comment on the absurdity of your comment, but it's much more fun to point out to trolls that their grammar stinks.
It's "might not have caught it", although, we all expect trolls to have the linguistic skills of neanderthals.
Re:perhaps if they paid ... (Score:2, Insightful)
The fact that Oracle has tens of thousands of employees points to the fact that Oracle does, in fact, offer a substantial cash incentive for finding bugs like these.
Do you mean how they pay employees and some of those employees are involved in testing and debugging? That's not the same as paying for vulnerabilities. Do those employees get a bonus for finding vulnerabilities? What about if someone who is not an employee finds a vulnerability?
The problem is not the money, the problem is the architecture. As long as things like Oracle are written in a massive jumble of C and other low-level, unsafe languages, they will be crawling with bugs. All the money in the world isn't going to get you to a state of zero remotely exploitable flaws.
True, but if people got paid for reporting vulnerabilities they would be more inclined to report them to Oracle.
Re:perhaps if they paid ... (Score:3, Insightful)
So what do you think your interpreter is made of? Somewhere, "unsafe" native code has to run.
Re:perhaps if they paid ... (Score:2, Insightful)
if I go and build an application using overhead on top of more overhead, I'm building on a codebase that's had millions upon millions of hours of real-world testing. Moreover, that overhead, being one single piece of code, can easily be audited for security issues, buffer overflows, etc. None of this can be said of an application I build from scratch on top of an "unsafe" language.
No, but it'll have less overhead. I wonder if they were concerned about performance when they designed this?
Seriously, though: I'm not saying the application design you described doesn't have its place. In fact it's an excellent way to avoid these sort of problems if you're willing to sacrifice some flexibility and speed. In a high-performance database, though, every little bit is critical. Yes, they must hire top-notch programmers to avoid mistakes like this, but isn't that why the software package costs so much?