[ISN] 34 flaws found in Oracle database software
InfoSec News
isn at c4i.org
Wed Aug 11 01:40:55 EDT 2004
Forwarded from: chris <chris at defcon.org>
Subject: Re: [ISN] 34 flaws found in Oracle database software
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I attended this presentation and it is true that Dave did not do any zero
days. It was, however an incredible presentation on SQL
injection/queries. In addition, due to A/V technical difficulties, Dave
spent the first 20 minutes of the talk doing a Q&A with the audience on
Oracle/SQL vulnerabilities that was worth the price of admission all by
itself. He started the presentation after the A/V guys got the projectors
working.
The room was packed to capacity, SRO, and as far as I could tell no one
walked out. My guess is that Jaikumar Vijayan did not attend the talk.
Chris
On Mon, 9 Aug 2004, InfoSec News wrote:
> Forwarded from: security curmudgeon <jericho at attrition.org>
>
> [Few comments on this article.. -jericho]
>
> : http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html
> :
> : By Jaikumar Vijayan
> : AUGUST 03, 2004
> : COMPUTERWORLD
> :
> : Oracle Corp. will soon issue patches to fix 34 different vulnerabilities
> : in its database software that were disclosed to it early this year by a
> : British bug hunter.
>
> Thirty four is a lot.. perhaps Oracle could stand to hire some audit
> talent.
>
> : "They include buffer overflows, SQL injection issues and a whole range
> : of other minor issues," said Litchfield, who discovered the flaws. He
> : said that he reported them to Oracle in January and February.
>
> Seven to eight month turnaround time... chalk that up to "regression
> testing"?
>
> : Oracle confirmed the existence of the flaws, which were discussed
> : publicly at last week's Black Hat security conference in Las Vegas, but
> : did not offer any further comment. In an e-mailed statement, a company
> : spokeswoman said that Oracle had fixed the flaws and would issue a
> : security alert "soon."
>
> http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html
>
> All New 0-Day
> David Litchfield, Founder, Next Generation Security Software
> This presentation will be entirely new and never seen before. Code
> included.
>
> Yet on the BlackHat CD provided, there is no bh-us-04-litchfield.pdf
> set of slides (with or without 0-day). I also heard in passing that
> Litchfield told the audience first thing that there would be no 0-day
> disclosure, instead there would only be generic SQL injection
> discussion.
>
> Can anyone confirm this? If true, did Jaikumar Vijayan not attend the
> talk and write this based solely on the schedule?
>
>
>
> _________________________________________
> Help InfoSec News with a donation: http://www.c4i.org/donation.html
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBF5NsOyWtx0MtxawRAuQCAJ9B4mnQ0lp/YXj3jSnxiK61qVFYYwCgldvf
CTLBJAMss2WMe6UtE3ImPDs=
=oU+A
-----END PGP SIGNATURE-----
More information about the ISN
mailing list