Home page logo
/

isn logo Information Security News mailing list archives

Re: 34 flaws found in Oracle database software
From: InfoSec News <isn () c4i org>
Date: Wed, 11 Aug 2004 00:40:55 -0500 (CDT)

Forwarded from: chris <chris () defcon org>
Subject: Re: [ISN] 34 flaws found in Oracle database software 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I attended this presentation and it is true that Dave did not do any zero 
days.  It was, however an incredible presentation on SQL 
injection/queries.  In addition, due to A/V technical difficulties, Dave 
spent the first 20 minutes of the talk doing a Q&A with the audience on 
Oracle/SQL vulnerabilities that was worth the price of admission all by 
itself.  He started the presentation after the A/V guys got the projectors 
working.

The room was packed to capacity, SRO, and as far as I could tell no one 
walked out.  My guess is that Jaikumar Vijayan did not attend the talk.


Chris



On Mon, 9 Aug 2004, InfoSec News wrote:

Forwarded from: security curmudgeon <jericho () attrition org>

[Few comments on this article..  -jericho]

: http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html
:
: By Jaikumar Vijayan
: AUGUST 03, 2004
: COMPUTERWORLD
:
: Oracle Corp. will soon issue patches to fix 34 different vulnerabilities
: in its database software that were disclosed to it early this year by a
: British bug hunter.

Thirty four is a lot.. perhaps Oracle could stand to hire some audit
talent.

: "They include buffer overflows, SQL injection issues and a whole range
: of other minor issues," said Litchfield, who discovered the flaws. He
: said that he reported them to Oracle in January and February.

Seven to eight month turnaround time... chalk that up to "regression
testing"?

: Oracle confirmed the existence of the flaws, which were discussed
: publicly at last week's Black Hat security conference in Las Vegas, but
: did not offer any further comment. In an e-mailed statement, a company
: spokeswoman said that Oracle had fixed the flaws and would issue a
: security alert "soon."

http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html

 All New 0-Day
 David Litchfield, Founder, Next Generation Security Software
 This presentation will be entirely new and never seen before. Code
 included.

Yet on the BlackHat CD provided, there is no bh-us-04-litchfield.pdf
set of slides (with or without 0-day). I also heard in passing that
Litchfield told the audience first thing that there would be no 0-day
disclosure, instead there would only be generic SQL injection
discussion.

Can anyone confirm this? If true, did Jaikumar Vijayan not attend the
talk and write this based solely on the schedule?



_________________________________________
Help InfoSec News with a donation: http://www.c4i.org/donation.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBF5NsOyWtx0MtxawRAuQCAJ9B4mnQ0lp/YXj3jSnxiK61qVFYYwCgldvf
CTLBJAMss2WMe6UtE3ImPDs=
=oU+A
-----END PGP SIGNATURE-----



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault