The latest security patch leaves a lot to be desired according to according to DB superfreak, David Litchfield. A researcher at Next Generation Security Software, Litchfield said the latest patch from Oracle is full of holes. The patch which is supposed to address over 30 vulnerabilities doesn’t fix a published hole that would allow an attacker to run code.
The exploit, released on the internet last week, isn’t for a flaw that Oracle patched but for a new problem. Initially, experts believed it was for one of the patched vulnerabilities.Intruders could still gain higher privileges on a system via the new flaw in the database’s (DBMS) export extension - a component that has been a recurring source of problems, Litchfield wrote.
The alert from NGSS was for database admins to revoke any public execute permissions that may be currently permitted. “Security researchers have criticised Oracle for being slow to patch and for not working well with them to fix security holes.”
Tags: Oracle, David Litchfield, Patches, Flaws
