A computer security expert believes that nine in every ten Oracle databases are vulnerable to an attack that would give hackers access and control over sensitive corporate and government database systems, without the need for a user id or password, according to Reuters.
David Litchfield, chief research scientist at NGSSoftware Ltd, a UK-based security company said that he warned Oracle of the vulnerability in their popular database software back in November, hoping that the company would fix it. He decided to go public with the flaw after Oracle failed to fix the vulnerability when they released their quarterly security patches in January.
Talking about the flaw after presenting his research at the Black Hat hacking conferencein Washington on Wednesday, Litchfield said "It allows an attacker without a user ID and password to take complete control. All firewalls become irrelevant."
Although it is possible to prevent the exploit by changing the default settings of the software, Litchfield believes nine in every ten databases are vulnerable. He added that there was no way to tell if any hackers had already used the vulnerability to gain access to a database.
Reuters reported that Oracle declined to comment on the vulnerability.