Oracle's Massive Security Update Missed One Critical Flaw

Oracle's recently released quarterly security update package contains a huge number of security fixes. The large number of security fixes is a direct reflection of Oracle's willingness to improve the security of its products. Nevertheless, the shear volume of flaws has caused at least some experts to reconsider Oracle's status as a bastion of security.

Compounding the already questionable status, there remains at least one critical vulnerability that went unpatched in the company's most recent quarterly security update. According to David Litchfield of Next Generation Security Software (NGS), a critical flaw in the Oracle PLSQL Gateway component could allow intruders to gain full control of the database administration backend.

Litchfield explained what he calls a trivial workaround to protect vulnerable systems. The workaround involves using the mod_rewrite module, which is part of Oracle's Apache-based Web server platform. Litchfield said administrators can insert four lines of code (as seen below) into the Web server's http.conf file and then restart the Web server for the code to take effect. Doing so closes the security hole.

RewriteEngine on
RewriteCond %\{QUERY_STRING\} ^.*\).*|.*%29.*$
RewriteRule ^.*$
RewriteRule ^.*\).*|.*%29.*$

"This flaw was reported to Oracle on the 26th of October 2005," said Litchfield. "It was hoped that due to the severity of the problem Oracle would release a fix or a workaround \[in the latest quarterly security update package\]. I don't think leaving their customers vulnerable for another 3 months, or perhaps even longer, until the next \[quarterly security update\] is reasonable, especially when this bug is so easy to fix and easy to workaround."

In December 2005 Oracle announced that it will integrate Fortify Software's security analysis tools into its software development process. Fortify Software's tools scan source code for potential security problems, test software for various vulnerabilities such as buffer overflows and SQL injection attacks, and help manage the security aspects of project development. The use of Fortify's solutions could reduce the number of patches released in the long run.

Meanwhile security watchdogs will undoubtedly continue to fill in the gaps to help ensure systems remain protected against known vulnerabilities.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.