[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1132150820.10828.11.camel@localhost.localdomain>
Date: Wed Nov 16 14:20:35 2005
From: barrie at reboot-robot.net (Barrie Dempster)
Subject: Three years and ten months without a patch
On Wed, 2005-11-16 at 10:19 +0100, Marco Ermini wrote:
> On 11/15/05, InfoSecBOFH <infosecbofh@...il.com> wrote:
> > So why not start teaching some lessons David and release exploit code.
> > It seems that is the only way they learn and take thing seriously.
>
> Rarely this software did not run in a what is considered "secured"
> environment - I mean, this is rarely exposed on Internet/DMZs. Usually
> Oracle DB (especially these older versions which didn't have so much
> web application software) are used just as database back end, which
> communicates with DMZs through multiple firewall levels (I am not
> justifying them in any way, I am just guessing why they may not care
> so much). Security is considered often not important - especially if
> you can "inexpensively" upgrade to a 9.x or 10.x or 11.x software
> version which "never breaks"...
Are we forgetting slammer ? A worm that attacked a product which you
would expect to be used in a similar way.
Backend or not, the system should be patched, being backend is not a
justifiable reason for not patching the system. Ignoring the fact that
these systems are commonly open to the net you also ignore, injection of
commands from a front end web server being carried backwards and what
about the local user ?
I work in a few environments where a DBA should not be allowed access to
the OS at any point other than to query the DB. A vulnerability such as
this in the software in use would have serious consequences in that
situation. Believing this would be a very narrow view of security and we
all know security is far from something to be viewed like that.
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
blog: http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca: https://www.cacert.org/index.php?id=3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 1859 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051116/13cc6fb2/smime.bin
Powered by blists - more mailing lists