Oracle Bug Exploit Loose - InformationWeek
IoT
IoT
News
News
4/20/2006
02:16 PM
50%
50%

Oracle Bug Exploit Loose

The exploit, which targets one of the Oracle Database 10g bugs, escalates privileges of existing users to give them total access to the database. Installing the available patch is critical, security experts say.

An exploit that leverages one of the three-dozen vulnerabilities patched Tuesday by Oracle has been spotted in the wild, a security company said Thursday, making patching even more essential.

According to an alert sent by Symantec to customers of its DeepSight system, an exploit for one of the Oracle flaws was published on the Bugtraq security mailing list. The exploit, which targets one of the Oracle Database 10g bugs, escalates privileges of existing users to give them total access to the database.

Additionally, more information has been posted online by German security researchers with Red Database Security that Symantec said "will allow a sufficiently skilled attacker to develop an exploit for [another] vulnerability in a few minutes or hours."

"I think it's credible that someone will try to use these exploits," said Alfred Huger, senior director of engineering for Symantec's security response team. "Then you're in big trouble."

Getting low-level access to a database is not hard, added Huger, since attackers can exploit other vulnerabilities. "But once in, they want to get into the entire database. For that, they need to escalate their privileges. So exploits that do that, like this one, are worth their weight in gold."

US-CERT (Computer Emergency Response Team) added its voice Wednesday by issuing its own alert, which urged companies to patch the Oracle bugs as soon as possible.

Finally, Symantec's Huger was cautiously encouraged by the drop in bugs reported in April compared to January.

"It's promising that it was significantly lower, but I think we'll have to have a few more CPUs (Critical Patch Updates) before we really know if Oracle's managed to close off most vulnerabilities."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll