Researcher says Oracle database can be hacked remotely

A computer security expert believes that nine in every ten Oracle databases are vulnerable to an attack that would give hackers access and control over sensitive corporate and government database systems, without the need for a user id or password, according to Reuters.

David Litchfield, chief research scientist at NGSSoftware Ltd, a UK-based security company said that he warned Oracle of the vulnerability in their popular database software back in November, hoping that the company would fix it. He decided to go public with the flaw after Oracle failed to fix the vulnerability when they released their quarterly security patches in January.

Talking about the flaw after presenting his research at the Black Hat hacking conferencein Washington on Wednesday, Litchfield said "It allows an attacker without a user ID and password to take complete control. All firewalls become irrelevant."

Although it is possible to prevent the exploit by changing the default settings of the software, Litchfield believes nine in every ten databases are vulnerable. He added that there was no way to tell if any hackers had already used the vulnerability to gain access to a database.

Reuters reported that Oracle declined to comment on the vulnerability.

Report a problem with article
Previous Story

T-Mobile USA IPO or spin-off being considered

Next Story

Spoiler: ESRB certificate reveals Bad Company 2 level

15 Comments

Commenting is disabled on this article.

Oracle mail,

Dear Oracle customer,

Unscheduled Oracle Security Alert for CVE-2010-0073 was released on February 4, 2010. Oracle strongly recommends applying the patches as soon as possible.

The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of the security vulnerability, and a pointer to obtain the patches. Supported products that are not listed in the "Supported and Affected Products" section of the advisory do not require new patches to be applied.

Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Advisory is available at the following location:

Oracle Critical Patch Updates and Security Alerts: http://www.oracle.com/technology/deploy/security/alerts.htm
Oracle Security Alert CVE-2010-0073: http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html

Thank you,
Customer Support of Oracle Corporation

billyea said,
Luckily you encrypt all your sensitive information before shoving it into the database... right?

What is this encrypt thing you speak of? Funny story though, I saw the other day, they decrypt keys stored in the database wiht the encrypted text. What is the point of this?!?! The programmer said, it was impossible to crack...... /le sigh.

highonsnow said,
Might be worth mentioning ye 'ol reliable MySQL in this instance - solid as a rock Never liked Oracle anyway.

It's a shame those idiots in the EU are allowing oracle to take over sun and mysql, which will destroy it and turn it into a POS like this.

But I'm glad oracle's got a huge security flaw, hope many thousands more are found and reported, that way I'm sure our taxes can fall when the DBAs finally work out oracle is crap and move to something decent before it's too late (eg. MySQL)

n_K said,

It's a shame those idiots in the EU are allowing oracle to take over sun and mysql, which will destroy it and turn it into a POS like this.

+1.

I don't know a DBA who hasn't thrown a few curses around over this.

Edited by ruterger, Feb 8 2010, 4:25pm : Forgot to /quote

highonsnow said,
Might be worth mentioning ye 'ol reliable MySQL in this instance - solid as a rock Never liked Oracle anyway.

HAHA, Did you really just compare MySQL to an Oracle database?

n_K said,

It's a shame those idiots in the EU are allowing oracle to take over sun and mysql, which will destroy it and turn it into a POS like this.

It's a shame MySQL creator sold it for huge $$$ which will destroy it and turn it into a POS like this.

Very interesting article, I work in the Public Sector and somebody has been trying to gain access to out network for the last four years but they have failed to gain access, this is going to worry a few IT bosses this morning.