Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle 9i Isn't Quite Unbreakable

Posted by timothy on from the whom-the-crackers-would-destroy dept.

BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug. ... Thanks [H]ardOCP for the link to the Article At SiliconValley.com. For more information see the official notice on SecurityFocus. More proof that Microsoft does not hold a monopoly on bugs. And of course a black eye to Mr. Larry 'Big Mouth' Ellison. I'm still waiting for my network computer, Larry."

6 of 113 comments (clear)

  1. Re:Well, we all knew... by ct · · Score: 3, Interesting
    Exposure here one /. aside, watch for just how much press this, as well as the recent XP hole, get's in the "mainstream" mailout periodical press.

    As a SysaAdmin (who never explicitly subscribed) to any of the 3 CMP/techweb publications I now receive weekly/biweekly/monthly or the electronic C|net shite I'm now eternally a "customer" of, it's pretty obvious who pays the bills for the (largely) waste of bandwidth reviews they provide. Wake up... they aren't going to bite they hands that feeds them - particularly MS or Oracle.

    While you/I/every other jaded IT employee with half a brain can be critical of this two faced advertising driven BS, the individual with a tight grip on the purse strings for IT expenditures is getting the same mailings & treating them as dogma - because he doesn't know/care that he's being fed crap with a fancy ribbon around it.

    Until the push-periodicals are no longer driven by big bucks advertising contracts & therefor biased coverage of these products, IT "managers" will have a steady supply of bullshit benchmarks & reviews IN WRITING to reinforce & perpetuate their decision making process.

    -ct

  2. Re:So what? by Anonymous Coward · · Score: 1, Interesting

    Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.

    Suuuure, let's just keep the internal networks completely insecure. Afterall, all attacks are done from the outside, we can always trust our employees, right? Not. Firewalls are a nice addon, but they're giving a false sense of security if you still keep your systems behind these firewalls unpatched, out-of-the-box-installed and poorly configured. Reports show that up to 80% (I think it was) of attacks happen from the inside.

  3. Buffer overflows by Tim+Ward · · Score: 2, Interesting

    Why are people still coding buffer overflows anyway?

    Sure, I've seen fixed size buffers with no checking, or calls to malloc with no checking, on ancient Unix code written in C dating back to the 1980s, but surely nobody has written gibberish like that for years?

    Or are there still hordes of new graduates, with no commercial training or experience, let loose on real products with no checking of their work?

  4. Re:Of course nothing is unbreakable by BillTheKatt · · Score: 2, Interesting

    You're totally right Bryan. In fact, my original submission of this story was edited down.
    In my original submission I pointed out how the notice of this Oracle exploit occured the same day as the XP hole, yet guess which one made it to /.?
    Apparently whoever decides which submissions are valid edited this little fact out. Granted, the XP hole is HUGE and Microsoft is absolutely clueless when it comes to security, but Ellison and the trade mags hyped 9i's being "unbreakable" to the moon. It took forever for /. to pickup the problem with the Mac/ipod as well as the Linux kernel problem with lost data, but if Bill Gates breaks wind there's 15 critiques on /. within seconds.
    The people who run /. have a right to post what they want, edit what they want and do whatever the heck they choose. It's their servers and their bandwidth. I don't want to foster the age-old MS vs Linux vs Mac vs BSD debate. Use whatever the hell works best for you and your company, get off your high horse, and let other people use what they want. Opinions are truely like assholes (everyone has them, especially me).
    My rambling point is that /. has become a news site. People look to this place to see what's going on in the world and the Internet. Too many people today (including the media) have forgotten that news is supposed to be OBJECTIVE. That means you report all of it, even the stuff you don't like, and you leave the spin and editing for the comments/editorials. I see a lot about censorship on slashdot, but not reporting, modding down or editing other people's posts because you disagree with their opinion is just that. Lets get back to seeing all the facts on the front page and the rants in the comments.

  5. buffer overflows.... by Anonymous Coward · · Score: 1, Interesting
    Right, now I'm a fourth-rate programmer, most of whose work is at too high a level to deal with malloc, pointers, etc, (although I have used that stuff before), so I realise its not as simple as all this. But I cant understand why buffer overflows exist, as they all seem to be a common type of weakness.

    To my limited understanding of what these vulnerabilities are, they could be fixed by a few simple IFs when recieving things into the bugger. I know programmers typically often expect things to work, and dont built in checks against everything which a user (or a socket) could throw at them, whether through stupitidy or maliciousness, but on products like this or XP, you'd think they WOULD bother with error-checking. Perhaps 70% of my web application is error-checking and idiot-proofing: laborious, but if an amateur hack like me can do it in the unpaid coding of a tiny website, why cant professionals?

    And most of all... Surely common weaknesses can be handled by a common error-checking routine?

    ie, they write buffer_overflow_check(buffer,incomingdata) and religiously use it every time? This way any security flaws will affect every buffer use in the whole program equally - making them easier to spot, I would have thought - and by the same token, if there are no flaws, the whole program is safe.

    AND its easier to debug and patch.

    Perhaps a better programmer than me could explain why this isnt possible?

  6. When will vendors learn? by Karl+Cocknozzle · · Score: 2, Interesting
    BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug...

    Just as there is no truly free lunch, nothing is truly "unbreakable".

    We've said it before so lets go once more around the old oak tree: When you claim something is unbreakable you 1) Immediately mobilize an army of dorks trying to prove you wrong and 2) Are lying to sell more goods since nothing in this universe is truly unbreakable.

    Even the our beautiful Earth will one day be burnt to cinders when the Sun expands before dying...

    Has anybody that isn't as paranoid as me considered that this may have been a reasoned move on the part of Oracle? (Or on the part of any company that has claimed it's software to be "Unbreakable"...) After all, QA people cost money. It would be relatively simple to do a short QA on functionality, call it unbreakable, and let somebody else find the "show-stopper" bugs for you, for free. For the myopic business man, this looks like a win-win.

    "If I say it's unbreakable, and nobody finds any problems, we sell $1 billion worth of software and I'm happy...if they find bugs I can always say all software has bugs and we'll have found a big problem without paying QA an extra month's salary to find it."
    --
    Who did what now?