Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Discloses New Batch of MySQL Vulnerabilities

Posted by samzenpus on from the protect-ya-neck dept.

wiredmikey writes "Over the weekend, a security researcher disclosed seven security vulnerabilities related to MySQL. Of the flaws disclosed, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the Full Disclosure mailing list, Oracle is aware of the zero-days, but has not yet commented on them directly. Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed. One disclosure included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the MySQL admin user."

4 of 76 comments (clear)

  1. Re:At the risk of getting modded down... by K.+S.+Kyosuke · · Score: 5, Insightful

    is someone who spends their working day just trying to poke holes and find vulnerabilities in software a "researcher"?

    Yes. Much like people trying to poke holes in other people's scientific research are scientists.

    --
    Ezekiel 23:20
  2. Re:At the risk of getting modded down... by Anonymous Coward · · Score: 5, Insightful

    If it's so easy, why aren't you doing it and making money turning in chrome flaws to google? or firefox flaws to mozilla? Or Ie flags to microsoft? They all pay for real vulnerabilities.

    The answer: It's not easy. There is no magic "penetration program". It requires detailed knowledge of processors, compilers, and software architecture. It requires skills that you won't learn in most colleges (R/E). It requires patience. It requires methodical documentation to be good at it. And at the end of the day, there is absolutely zero guarantee that you will find any vulnerabilities or that a vulnerability even exists.

  3. Re:At the risk of getting modded down... by ducomputergeek · · Score: 5, Funny

    No, but you need a bow tie to be the doctor...because bow ties are cool.

    --
    "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  4. Re:Privilege Elevation bug not much of a bug by TheSpoom · · Score: 5, Funny

    If you're running Windows, you can default to "yes".

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs