Emergency Workaround For Oracle 0-Day

← Back to Stories (view on slashdot.org)

Emergency Workaround For Oracle 0-Day

Posted by kdawson on Tuesday July 29, 2008 @03:04PM from the maybe-somebody-shorted-the-stock dept.

Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.

11 of 152 comments (clear)

Min score:

Reason:

Sort:

Re:I forgot by snl2587 · 2008-07-29 15:18 · Score: 2, Insightful

What a surprise! They were exploited by an actual hacker. Whodathunkit?
perhaps if they paid ... by SlashWombat · 2008-07-29 15:38 · Score: 4, Insightful

I would have thought that an exploit like this would be worth a huge amount of money ... For Oracle, but now for the great pool of unwashed out there.

It strikes me that if Oracle (and other HUGE software vendors) were to offer substantial cash incentives to find holes as gaping as this one obviously is, that the exploit would have been reported directly to Oracle. By substantial i mean in excess of 100,000 euros. (I would have said US dollars, but that currency isn't worth much any more!)
1. Re:perhaps if they paid ... by enosys · 2008-07-29 17:45 · Score: 2, Insightful
  
  The fact that Oracle has tens of thousands of employees points to the fact that Oracle does, in fact, offer a substantial cash incentive for finding bugs like these.
  Do you mean how they pay employees and some of those employees are involved in testing and debugging? That's not the same as paying for vulnerabilities. Do those employees get a bonus for finding vulnerabilities? What about if someone who is not an employee finds a vulnerability?
  
  The problem is not the money, the problem is the architecture. As long as things like Oracle are written in a massive jumble of C and other low-level, unsafe languages, they will be crawling with bugs. All the money in the world isn't going to get you to a state of zero remotely exploitable flaws.
  True, but if people got paid for reporting vulnerabilities they would be more inclined to report them to Oracle.
2. Re:perhaps if they paid ... by X0563511 · 2008-07-30 01:27 · Score: 2, Insightful
  
  So what do you think your interpreter is made of? Somewhere, "unsafe" native code has to run.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
3. Re:perhaps if they paid ... by clone53421 · 2008-07-30 02:17 · Score: 2, Insightful
  
  if I go and build an application using overhead on top of more overhead, I'm building on a codebase that's had millions upon millions of hours of real-world testing. Moreover, that overhead, being one single piece of code, can easily be audited for security issues, buffer overflows, etc. None of this can be said of an application I build from scratch on top of an "unsafe" language.
  
  No, but it'll have less overhead. I wonder if they were concerned about performance when they designed this?
  Seriously, though: I'm not saying the application design you described doesn't have its place. In fact it's an excellent way to avoid these sort of problems if you're willing to sacrifice some flexibility and speed. In a high-performance database, though, every little bit is critical. Yes, they must hire top-notch programmers to avoid mistakes like this, but isn't that why the software package costs so much?
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
what in the world is mod_wl do? by Anonymous Coward · 2008-07-29 15:44 · Score: 4, Insightful

i just tried to google mod_wl and the first page
of the results do not clearly tell me what mod_wl
even does. i do not know a single person who uses
it and i work a large ISP.
this has nothing to do with oracle's database and
i think slashdot editors really need to stop with
these silly headlines designed to get me to click
on stories. grow up! make a profit without deceit!
frankly, this post about this overflow is such
a non issue for me it is funny.
can anyone explain what in the heck mod_wl even does?
Applying Schneier's dictum by Anonymous Coward · 2008-07-29 15:50 · Score: 0, Insightful

Substantial improvement in security and software quality will require vendors to take responsibility for their bugs. The most likely way to achieve this, is to force actual losses upon their customers, who will then complain effectively to the vendors.
"Did not contact Oracle first." by InlawBiker · 2008-07-29 16:25 · Score: 3, Insightful

"Whoever published the vulnerability and matching exploit code did not contact Oracle first."
It's interesting to me that this is a tag in the OP. I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it. For the most part it's people pushing software to its limits that find the bugs. BUT - the more business is done on the Internet the more valuable exploits become.
I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.
Reporting to vendors is the right thing to do, but if there's one thing I've learned in my life it's that when money and ethics collide money almost always wins.
1. Re:"Did not contact Oracle first." by John+Whitley · 2008-07-29 17:01 · Score: 2, Insightful
  
  I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.
  No need for abstract belief; this is near certainty. Even "better", I've seen stuff that would curl your teeth that the vendor apparently knew about but remained quietly unpatched. That was in the toolset of a professional IT security testing company. Their stuff made Metasploit look like a Lego model of a battleship vs. the real thing. It's sobering knowing that tools exist that are the direct realization of the weakest link principle. With really well-thought out and easy to use UI, and backend code just as nice. Click, ownage, click, ownage... /shudder
One man's ruffianity... by Capt.+Skinny · 2008-07-29 16:49 · Score: 5, Insightful

One man's unrefined ruffianity is another man's unconscious vernacular.

Moving to a university research lab after five years in IT at a paper mill in East Bumville, I really had to make a conscious effort to unlearn the conversational vernacular that I had picked up over the last few years.

Oh, and I believe the correct expression is "Do you kiss your mother with that mouth?"
Fix your grammar by MrNaz · 2008-07-29 17:22 · Score: 2, Insightful

I'd comment on the absurdity of your comment, but it's much more fun to point out to trolls that their grammar stinks.
It's "might not have caught it", although, we all expect trolls to have the linguistic skills of neanderthals.

--
I hate printers.