• United States



by Paul Kerstein

Exploit Circulating for Newly Patched Oracle Bug

Oct 21, 20052 mins
CSO and CISOData and Information Security

Database administrators now have a little added incentive to installOracle Corp.’s latest security patches, released earlier this week.Malicious software is now circulating that can crash an unpatcheddatabase server, and one security expert predicted that more malwaretargeting the 89 recently patched vulnerabilities is on the way.

On Thursday, code was published on the Full Disclosure security mailinglist that exploits a buffer overflow vulnerability in certain versionsof Oracle’s databases.

This code could be used by attackers to bring down a database, using atechnique called an SQL injection attack, said Alexander Kornbrust, abusiness director at Red-Database-Security GmbH, in Neunkirchen,Germany. In SQL injection attacks, Web applications that work with thedatabase are tricked into sending malicious database queries using theSQL language.

The exploit could be used either by an attacker who had usercredentials on an unpatched database or by a remote attacker, using anSQL injection attack over the Internet, Kornbrust said. “I tried theexploit and it’s working,” he said in an interview conducted viainstant message. “I highly recommend customers to apply these patchesas soon as possible.”

In a statement, Oracle said that versions 9i and 10g of the databasesoftware were vulnerable to the bug, but the exploit published on FullDisclosure affects only 10g users, according to Kornbrust.

On Tuesday, Oracle released a bundle of critical security patches thatfixed 89 bugs in its database and application servers, as well as somePeopleSoft and J.D. Edwards applications. Oracle releases securitypatches every three months as part of its security update program.

Normally, a few exploits begin circulating after each Oracle security update, Kornbrust said.

The buffer overflow vulnerability is described as vulnerability numberDB27 on this page:

The Full Disclosure exploit code can be found here:

Oracle did not respond to requests for comment on this story.

By Robert McMillan – IDG News Service (San Francisco Bureau)