Re: Interesting MetaLink notice
- From: Jared Still <jkstill@xxxxxxxxx>
- To: Mladen Gogala <gogala@xxxxxxxxxxxxx>
- Date: Sun, 5 Feb 2006 10:17:26 -0800
On 2/4/06, Mladen Gogala <gogala@xxxxxxxxxxxxx> wrote:
>
>
> On 02/04/2006 08:20:41 PM, Jared Still wrote:
> > https://metalink.oracle.com/metalink/plsql/showDoc?db=NEW&id=1696291.993
>
> Are you referring to Oracle's reaction to David Litchfield's findings?
> --
> Mladen Gogala
> http://www.mgogala.com
>
>
Yes. I see the text is available now.
It seemed very interesting as Litchfield has grown increasingly
frustrated with Oracle regarding the patching of serious security
holes.
Oracle's response to this is rather more candid that what is
usually seen, and seems to indicate Oracle's increasing frustration
with Litchfield.
Questions that arise from this, and have certainly arisen a number
of times previously to this:
* If the only people that know about these security holes are researchers
that devote considerable time to finding these holes, what is gained by
releasing the info before the patches are available? (no know exploits
for most of these have been found in the wild)
* Is this just a ploy by Litchfield to gain publicity, or is it
one-upmanship
among security researchers? I mean no disrespect to Litchfied, but the
question must be asked.
Litchfield released a workaround for this hole, but it has not had the
extensive
testing that Oracle must do before releasing a workaround to be applied
to http.conf.
From bugtraq:
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack
A reply to Litchfields post on bugtraq stated that this workaround
breaks HTMLDB. ( excuse me: Oracle Application Express )
Oracle states that this will also break eBusiness Suite.
The state of Oracle security has been somewhat questionable as of late.
Some of Litchfield's frustration is understandable, as some flaws in Oracle
have
been uncorrected for literally years after they were notified of the
problems.
Frustration on the part of the lowly DBA increases as well.
Here we are, applying non trivial patches (which sometimes need to be
done twice if you are an unfortunate early adopter), knowing full well
that there are known issues that are not addressed by the patch.
Even those problems that are addressed by security problems are
not always corrected, requiring only a small change in the exploit
to get around the security 'fix'.
So, while Oracle and the researchers duke it out, the DBA's and
other customers of Oracle are caught in the middle.
Gotta go now, breakfast is ready. :)
--
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Other related posts:
