| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Nov 16 14:20:35 2005 From: barrie at reboot-robot.net (Barrie Dempster) Subject: Three years and ten months without a patch On Wed, 2005-11-16 at 10:19 +0100, Marco Ermini wrote: > On 11/15/05, InfoSecBOFH <infosecbofh@...il.com> wrote: > > So why not start teaching some lessons David and release exploit code. > > It seems that is the only way they learn and take thing seriously. > > Rarely this software did not run in a what is considered "secured" > environment - I mean, this is rarely exposed on Internet/DMZs. Usually > Oracle DB (especially these older versions which didn't have so much > web application software) are used just as database back end, which > communicates with DMZs through multiple firewall levels (I am not > justifying them in any way, I am just guessing why they may not care > so much). Security is considered often not important - especially if > you can "inexpensively" upgrade to a 9.x or 10.x or 11.x software > version which "never breaks"... Are we forgetting slammer ? A worm that attacked a product which you would expect to be used in a similar way. Backend or not, the system should be patched, being backend is not a justifiable reason for not patching the system. Ignoring the fact that these systems are commonly open to the net you also ignore, injection of commands from a front end web server being carried backwards and what about the local user ? I work in a few environments where a DBA should not be allowed access to the OS at any point other than to query the DB. A vulnerability such as this in the software in use would have serious consequences in that situation. Believing this would be a very narrow view of security and we all know security is far from something to be viewed like that. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1859 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051116/13cc6fb2/smime.bin
Powered by blists - more mailing lists