Slashdot Mirror
Oracle 9i Isn't Quite Unbreakable
BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug. ... Thanks [H]ardOCP for the link to the Article At SiliconValley.com.
For more information see the official notice on SecurityFocus. More proof that Microsoft does not hold a monopoly on bugs. And of course a black eye to Mr. Larry 'Big Mouth' Ellison. I'm still waiting for my network computer, Larry."
I'm waiting for my National ID card.
Shooting your mouth off like that. You either get good publicity after announcing that the skript kiddies were unable to own your server or you get free security testing.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
That it was bound to happen. The guy knew this would happen, he just got a lot of free publicity and testing.
Also, this is ONE hole, how many of Microsoft's holes have been exposed? I don't even want to start counting.
Oh, hang on, I think I've spotted something
There's a juicy irony in the content of that page...
if this is going to affect Larry's Oracard project. Maybe the government should consider using mySQL? ;-)
"The ones who dont do anything are always the ones who try to pull you down" -- Henry Rollins
They that quote Benjamin Franklin on liberty and safety deserve neither.
A dollar dies
http://www.securityfocus.com/vulns/stats.shtml
And we pull this link for the 100'th time because we like to show that the only patch that works is the SYSADMIN/ADMINISTRATOR patch.
To bad they can't be downloaded from the net.
Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.
The subject says it all... :)
PostgreSQL
I rather be free in hell than a slave in heaven.
The difficulty may be assomtopic to infinity, but it never hits the "unbreakable" axis.
/. really needs to revamp their whole moderator system. I post info (not like the dribble I posted above) and get modded down 3 times for being redundent?!? Hello, just because someone posted a similar reply 4 seconds before I hit "submit" doesn't mean I'm redundent, it means I type slower.
Now for my beef-
As some other poster has in his/her sig, the more good comments you right the greater the chance you get modded down! (Gee, how long until this post gets "offtopic" (even though the first paragraph deals with the topic) or flamebait (for speaking about the bias that occurs here?)
Hint for newbies, always LOVE Linux, always HATE Microsoft, be ambiguent about MaxOSX, and speek a lot of "Elite" words like symmetric anal rapings- 'cause you would be in jail And I mean IN
Vote monkeys into Congress. They are cheaper and more trustworthy.
Nobody in their right mind declares software to be unbreakable. It is just like in science, even after the closest scrutiny all you can say about a theory is: "Not YET disproven". Even after the closest scrutiny you'll say about the program: "not yet broken". Because no matter how much review you did, there could be someone smarter then you.
Use Adsense for Charity
Some people are confusing the Oracle9i Database with the Oracle9i Application Server. I agree that the naming is confusingly similar but they are two very different products. The article refers to Oracle9i Application Server, not the database.
Oracle9i Application Server is basically Apache 1.3 bundled with Orion Application Server and and embedded (yes, embedded!) Oracle database server used for data caching. There are a variety of add-ons included as well, depending on how many tens of thousands of dollars (per processor) one wants to spend.
Also, Larry's term "unbreakable" refers not just to security issues but also availability and scaleability.
We all do the best we can. I am sure that this will be patched quickly. Makes me feel sorry for those poor programmers who will probably be working over the holidays to fix this.
Why are people still coding buffer overflows anyway?
Sure, I've seen fixed size buffers with no checking, or calls to malloc with no checking, on ancient Unix code written in C dating back to the 1980s, but surely nobody has written gibberish like that for years?
Or are there still hordes of new graduates, with no commercial training or experience, let loose on real products with no checking of their work?
Remind them to change the idiotic 'CHANGE_ON_INSTALL' SYS's(highest privilege user) default password first. :)
At http://www.thinknic.com
>face it, Apache was never designed to handle
>mission-critical, Enterprise-level applications.
>It's great for serving web-pages out of your
>dorm-room, but for a $$$ piece of software like
>Oracle 9i, I don't know.
>you are never going to be able to fully vet a
>piece of software like Apache that was developed
>by non-professionals
Why are you spreading fud like this ? what is your hidden agenda ?
Many professional programmers particularly from IBM and SUN participate to the Apache project, plus, IIS has been developed by so called professionals, well sorry, it's not particularly known for it's robustness.
Please check out your facts before posting uninformed posts, or stop spreading fud.
Is it possible that these mistakes (all security mistakes, not just the few that make Slashdot) are not worthy of publication? In this particular case, yes, it's funny to make fun of the sassy man that thumbed his nose at the big bad man and then had the same problem.
Well, you didn't have to wait for it since last year, when the NIC computer came out, one of Larry's brainchilds.
ceci n'est pas une signature
Back in prehistoric times, I ran UNIX on an 80286. One of the "features" of the 80286 was the use of segments to address memory. The maximum size of a segment was 64KB. Although this caused problems, it had a useful side effect. Due to the way that the C compiler allocated memory to segments in the large memory model, many buffer overflows produced immediate segmentation faults instead of silenting corrupting other areas of memory. This was actually useful for testing programs that would run without obvious errors on systems with 32-bit linear address spaces. Tagged and segmented memory systems have fallen out of favor with the increasing popularity of systems written in C. If we are not going to replace C with something safer, such as Ada, maybe we should look at the use of more sophisticated memory models as a way of detecting errors.
Mea navis aericumbens anguillis abundat
I gotta say, as totally irresponible as his statements were, he sure did find an easy way to come up with the fastest, cheapest, most thorough QA department in the world.
I shuddered when I first read that Oracle ad. I knew it would be only a few weeks before exploits were announced from 9i. Larry, did you learn nothing from Titanic besides that with enough money, even a terrible, terrible movie can win oscars?
Also, the security adage comes to mind: security is a process, not a product.
To my limited understanding of what these vulnerabilities are, they could be fixed by a few simple IFs when recieving things into the bugger. I know programmers typically often expect things to work, and dont built in checks against everything which a user (or a socket) could throw at them, whether through stupitidy or maliciousness, but on products like this or XP, you'd think they WOULD bother with error-checking. Perhaps 70% of my web application is error-checking and idiot-proofing: laborious, but if an amateur hack like me can do it in the unpaid coding of a tiny website, why cant professionals?
And most of all... Surely common weaknesses can be handled by a common error-checking routine?
ie, they write buffer_overflow_check(buffer,incomingdata) and religiously use it every time? This way any security flaws will affect every buffer use in the whole program equally - making them easier to spot, I would have thought - and by the same token, if there are no flaws, the whole program is safe.
AND its easier to debug and patch.
Perhaps a better programmer than me could explain why this isnt possible?
More proof that Microsoft does not hold a monopoly on bugs.
Oh, the self-righteous smarniness of chauvinists everywhere. If we needed more proof that Microsoft does not hold a monopoly on bugs, one only need look at any major open-sourced project. The Changelog for the Linux kernel, for instance, documents beaucoup bugs that users were living with on their OS (forget about their DB, which as someone else pointed out is most likely stashed away behind a firewall anyways). Why does such bugginess there not bear the same level of ridicule ?
You'd think they'd be a big hit with the Slashdot set seeing as they boot Linux with X off a CD, and have Ethernet, USB, a modem and VGA support built in, all for $200. I guess lame jokes predicated on them not existing are more fun.
The reason for this is that configuring a perfect firewall is near-impossible. Even if it were, it is easy to breach this security by opening the wrong port. If the rest of the infrastructure is secure, though, the firewall becomes a way of covering unanticipated (or as yet undiscovered) security holes. Security systems like firewalls only buy you time: if a new vulnerability appears they will keep you safe until a patch is available, but if you never apply the patch, the firewall will eventually be breached and your data exposed.
You can't rely on security systems to make safe systems which are intrinsically vulnerable. So, a secure database of the kind Oracle are trying to deliver makes a significant contribution to Internet security, even if such systems properly should be behind a firewall.
"Well, put a stake in my heart and drag me into sunlight."
At least try to confirm them. :P
A Google search returns this article first that claims 70%, and carried some credibility.
That article, however, was three years old, and I have to wonder if that statistic has changed with the proliferation of script kiddies and root kits. Perhaps "successful attacks" are that high, but in our company, we see attacks almost constantly from the outside, generally automated I grant you, but they are still attacks, whereas I doubt there have been very many inside attacks in our company of 6 people, two of whom are accountants.
You are wrong in so many ways. First of all, a statement about the properties of a program need not be empirical science. If one really wants to, these properties can be proven, for example by lambda-calculus. Thus programming is like mathematics; and just like maths you can of course make mistakes in your proof (the most common being perhaps mistaken assumptions). However, mathematical theorems are generally regarded to be proven (not just "not YET disproven") when enough people have seen it.
One of the true achievements of the 20th century was the philosophical understanding that the meaning of a word (in this case "proven") is not definable by anything else than the sum of its usage. To say that we cannot have absolute knowledge on the workings of our programs is to take the first step towards a solipsistic view of the world (we cannot know anything with certainty, thus I assert nothing more than that I exist).
I am willing to debate any solipsists on slashdot on this subject. I am also quite willing to debate those who have not understood the lessons of Wittgenstein, thus making uneducated statements on epistemology to the effect of "software cannot be theoretically unbreakable".
I find it strange that while most people have some knowledge on what the new findings in physics since the 17th century are, virtually no one knows in what way philosophy have progressed.
Opinions stated are mine and do not reflect those of the Illuminati
You're still waiting for his network computer? It's been out for years, and he's actually making a profit off it. www.thinknic.com
Just as there is no truly free lunch, nothing is truly "unbreakable".
We've said it before so lets go once more around the old oak tree: When you claim something is unbreakable you 1) Immediately mobilize an army of dorks trying to prove you wrong and 2) Are lying to sell more goods since nothing in this universe is truly unbreakable.
Even the our beautiful Earth will one day be burnt to cinders when the Sun expands before dying...
Has anybody that isn't as paranoid as me considered that this may have been a reasoned move on the part of Oracle? (Or on the part of any company that has claimed it's software to be "Unbreakable"...) After all, QA people cost money. It would be relatively simple to do a short QA on functionality, call it unbreakable, and let somebody else find the "show-stopper" bugs for you, for free. For the myopic business man, this looks like a win-win.
"If I say it's unbreakable, and nobody finds any problems, we sell $1 billion worth of software and I'm happy...if they find bugs I can always say all software has bugs and we'll have found a big problem without paying QA an extra month's salary to find it."
Who did what now?
I always said it, Ellison is crazy. He should seek psychiatric help.
...they may as well have painted a bull's eye on the box. I love it when giant software companies tout security and reliability of their products as the main selling point in their ads. It always comes back to bite them in the ass. Software companies should take the advice of the airline industry and never tout their safety records :)
Chris
http://www.devitry.com/security.html
-- these are only opinions and they might not be mine.
I'd like to say that no software is ever completely perfect, and flaws are in every thing. So, happy holidays,
AJ
-------
artlu.net
In the end, the ultimate issue is the use of a programming language (C or C++) that provides no memory management or garbage collection. Memory management issues lurk behind a vast number of the bugs and exploits you hear about, and on that fine day when people start executing their code in memory-managed sandbox environments, the world will be a safer place. Unfortunately C will likely be in heavy use for the next twenty years and exist in legacy code until you die, so maybe learning how to find overflow exploits is a good career move.
You better believe that there are still hordes of people coding unchecked buffers every day. Although they are not the only ones, Microsoft seems particularly bent toward unchecked buufers. Many if not most of their bugs that allow execution of arbitrary code are due to buffer overflows. IIS is riddled with them.
MSFT might not have a monopoly on bugs, but the crappiness of the default security model in the MSFT OSes makes this bug much worse under Windows.
"On Microsoft Windows NT/2000 systems this may mean that the attacker-supplied code is executed with SYSTEM level privileges, as this is the privilege level that the Apache process runs under. On other operating systems successful exploitation may merit local access for the attacker. "
Bill, Larry, everybody knows you guys don't like each other. Now why don't you just take this little spat to email.
A buffer overflow on a DB server isn't as deadly as on a web server or other offered public services.
If the perimeter defense is setup properly, DB should never be directly accesible from the Internet (unless some abnormal setup). Just for information, for those web application driven by DB, I prefer to have a different subnet behind the web server using the internal IP address, so the DB is only accessible through the Web server (from the Internet). Any overflow attacker will have to go through the Web server and then the DB server.
Having said that, there is still risk for internal attack (not to mention a lot of security risk comes from internal). So a quick patch is still very necessary.
I have had a few sites the require access from business partners thru VPN to directly access the DB, I see this as a high threat and try my best effort to guard it. Especially because you cannot have a proxy type of filter from another vendor to screen the content (such as e-mail and web). IDS and firewall will not catch a lot of the direct attack. So, the best way to allow access to DB is still via indirect method (such as letting business partner use a web interface to access data.
if a word is the sum of its usage, and 'usage' is a funny way of referring to the states of a fuzzy subset of the 10e11 neurons (made up number) firing at the time the writer thinks about the meaning of the whole sentence in which the word appears, then who are you to say
the meaning of a word (in this case "proven") is not definable by anything else than the sum of its usage?
Goddamn it, I as a mathematician can define a word in a mathematical way, and so that my Pure definition isn't altered by the perceptions of the people using it, any time I damn well please! When I say 'average', and the context makes it clear I mean arithmetic mean, then you don't have a right to say that the meaning of the word is also governed by the fact that most people have connotations of 'typical', 'characteristic', or even 'less than the best' or 'more than the worst' or anything else that isn't part of the definition. When I say that I throw a die (half of two dice) a bunch of times, getting an average result of '4', then part of the 'meaning' you seem to assert is that there were more 4's than other numbers, or that most throws were closer to 4 than to 1 or 6, or anything else that's part of the 'connotation'. Although some of these things may follow from combinatorix, none of them, even when we know them enough that they become part of the word 'average' on an intuitive level, change the definition of that word.
Oh, and about your 'I am willing to debate any solipsists on slashdot on this subject': why don't you go get fucked up the ass with a rusty shotgun, you fucking shithead.
Many professional programmers particularly from IBM and SUN participate to the Apache project, plus, IIS has been developed by so called professionals, well sorry, it's not particularly known for it's robustness.
hehe.. now its your turn to stop the FUD. You wouldn't by chance be a linux supported would you? Bias is the basis for FUD which your post exhibits wonderfully.
are you a monkey ? (serious question)
some things are simply more breakable than others!
Ok, lets have a little game, whats the name of the web server that has seen more worms than my garden's compost heap in the last year??
*notices all the geeks waving hands saying oh oh I know*
Heres a clue: it's not Apache.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.