Show

Researcher says Oracle database can be hacked remotely

Matthew Hopson
08 February 2010 - 09:59
15 Comments
Liked this (0)

A computer security expert believes that nine in every ten Oracle databases are vulnerable to an attack that would give hackers access and control over sensitive corporate and government database systems, without the need for a user id or password, according to Reuters.

David Litchfield, chief research scientist at NGSSoftware Ltd, a UK-based security company said that he warned Oracle of the vulnerability in their popular database software back in November, hoping that the company would fix it. He decided to go public with the flaw after Oracle failed to fix the vulnerability when they released their quarterly security patches in January.

Talking about the flaw after presenting his research at the Black Hat hacking conferencein Washington on Wednesday, Litchfield said "It allows an attacker without a user ID and password to take complete control. All firewalls become irrelevant."

Although it is possible to prevent the exploit by changing the default settings of the software, Litchfield believes nine in every ten databases are vulnerable. He added that there was no way to tell if any hackers had already used the vulnerability to gain access to a database.

Reuters reported that Oracle declined to comment on the vulnerability.

Comments (15)

  1. +Jonessie - 08 February 2010 - 10:23

    Very interesting article, I work in the Public Sector and somebody has been trying to gain access to out network for the last four years but they have failed to gain access, this is going to worry a few IT bosses this morning.

  2. julianbl - 08 February 2010 - 10:45

    hopefully this would bring down the secure oracle mith.

  3. Nick Brunt - 08 February 2010 - 12:26

    julianbl said,
    hopefully this would bring down the secure oracle mith.

    *myth :D

  4. julianbl - 08 February 2010 - 13:24

    Nick Brunt said,

    *myth :D


    Oops!! :$

    (not an excuse, but English is not my native language)

  5. highonsnow - 08 February 2010 - 12:06

    Might be worth mentioning ye 'ol reliable MySQL in this instance - solid as a rock Never liked Oracle anyway.

  6. n_K - 08 February 2010 - 12:20

    highonsnow said,
    Might be worth mentioning ye 'ol reliable MySQL in this instance - solid as a rock Never liked Oracle anyway.

    It's a shame those idiots in the EU are allowing oracle to take over sun and mysql, which will destroy it and turn it into a POS like this.

    But I'm glad oracle's got a huge security flaw, hope many thousands more are found and reported, that way I'm sure our taxes can fall when the DBAs finally work out oracle is crap and move to something decent before it's too late (eg. MySQL)

  7. ruterger - 08 February 2010 - 16:34

    n_K said,

    It's a shame those idiots in the EU are allowing oracle to take over sun and mysql, which will destroy it and turn it into a POS like this.

    +1.

    I don't know a DBA who hasn't thrown a few curses around over this.

    Edit (ruterger, 08 February 2010 - 16:35): Forgot to /quote

  8. omar8 - 08 February 2010 - 18:55

    highonsnow said,
    Might be worth mentioning ye 'ol reliable MySQL in this instance - solid as a rock Never liked Oracle anyway.

    HAHA, Did you really just compare MySQL to an Oracle database?

  9. RealFduch - 08 February 2010 - 19:22

    n_K said,

    It's a shame those idiots in the EU are allowing oracle to take over sun and mysql, which will destroy it and turn it into a POS like this.

    It's a shame MySQL creator sold it for huge $$$ which will destroy it and turn it into a POS like this.

  10. +Northgrove - 08 February 2010 - 13:30

    Ugh This stuff can end up far worse than those stupid IE security holes.

  11. Neoauld - 08 February 2010 - 14:08

    this is scary.

  12. dotf - 08 February 2010 - 16:21

    Does anyone know if the exploit code can be modified to run on 9i ?

  13. billyea - 08 February 2010 - 16:39

    Luckily you encrypt all your sensitive information before shoving it into the database... right?

  14. +Louis M. - 08 February 2010 - 23:45

    billyea said,
    Luckily you encrypt all your sensitive information before shoving it into the database... right?

    What is this encrypt thing you speak of? Funny story though, I saw the other day, they decrypt keys stored in the database wiht the encrypted text. What is the point of this?!?! The programmer said, it was impossible to crack...... /le sigh.

  15. julianbl - 09 February 2010 - 12:13

    Oracle mail,

    Dear Oracle customer,

    Unscheduled Oracle Security Alert for CVE-2010-0073 was released on February 4, 2010. Oracle strongly recommends applying the patches as soon as possible.

    The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of the security vulnerability, and a pointer to obtain the patches. Supported products that are not listed in the "Supported and Affected Products" section of the advisory do not require new patches to be applied.

    Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

    The Advisory is available at the following location:

    Oracle Critical Patch Updates and Security Alerts: http://www.oracle.com/technology/deploy/security/alerts.htm
    Oracle Security Alert CVE-2010-0073: http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html

    Thank you,
    Customer Support of Oracle Corporation

Please Log In or Register to post a comment.