Update to the Oracle EXTPROC advisory

• Previous message: Sufliarsky Richard: "FW: Norton Internet Security 2003 blacklist fault?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 12 Sep 2003 13:30:10 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello,
Please note that Oracle has updated the extproc buffer overrun advisory.
There was some confusion caused because the intial Oracle advisory stated
that a username and password were required to exploit the overflow which was
contrary to the results of our research; we concluded that no user ID or
password was necessary. Whilst I answered many of the mails querying this
discrepancy, for those that I did not have a chance to reply to, please
accept my apologies. The updated Oracle can be found here :
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf . In summary,
Oracle 9i Database Release 2, Oracle 9i Database Release 1 and Oracle 8i
Database (8.1.x) are all vulnerable and that "Risk to exposure is high, as a
valid username and password is not needed in all cases to exploit this
potential vulnerability."
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.nextgenss.com/
+44(0)208 401 0070

NGSSoftware's SQuirrel for Oracle, an advanced security audit tool for
Oracle, checks for these vulnerabilities. More information is available from
http://www.nextgenss.com/products/squirrelfororacle.htm .

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----

• Previous message: Sufliarsky Richard: "FW: Norton Internet Security 2003 blacklist fault?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]