Sunday, December 31, 2006

Security flaw fixed

Unfortunately, I didn't have enough time to post this note earlier – I was totally booked, and that was much more important than Internet, web forums and blogs...

At October 17th Oracle officially released eighth Critical Patch Update (CPU). This CPU fixes about one hundred Oracle bugs, and its advisory is currently available at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html

Among others, it finally suggests a fix to the dire security hole I came across in April:
http://andrewmax.blogspot.com/2006/04/yet-another-security-alert.html

I have applied October CPU and, according to tests I've made, the problem is really resolved – any attempt of unauthorized data modification now fails with ORA-01031 (insufficient privileges) error.
My corresponding Metalink SR got finally closed.

In "Credits" section of CPU advisory, Oracle kindly credited me as well as other persons and organizations for bringing security problems to Oracle’s attention:

The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Johannes Fahrenkrug; Sacha Faust of S.P.I. Dynamics, Inc.; Esteban Martinez Fayo of Application Security, Inc.; Jeff Kayser of Database Doctor, Inc.; Alexander Kornbrust of Red Database Security GmbH; David Litchfield of Next Generation Security Software Ltd.; and Andrew Maksimenko of COMEC-92 (me).


I'm very glad to realize that the story is over – having such hole unfixed for a long time is like sitting on a ticking bomb: sooner or later, it goes.
In short - I’d recommend applying October CPU as soon as possible, or else you leave your Oracle database vulnerable, both data integrity and security can be easily compromised.

Andrew.

1 Comments:

Blogger tiancai2080 said...

This is very nice blog. do you konw Mozilla Firefox web browser?I really loved it,I hope you may want to download and try. thank you.

10:48 AM  

Post a Comment

<< Home