Bugtraq mailing list archives
Re: BUGTRAQ] vulnerability in Connection Manager Control binary in Oracle
From: ksoze () OBSCURITY ORG
Date: Mon, 20 Nov 2000 18:15:45 -0800
Go through your Oracle installation and remove the setuid bit on all those little helper applications that you don't use. Don't wait for someone to tell you that one of them is exploitable. warning: all the stuff below is a rant.
Meanwhile, giving a vendor only 4 days to respond, two of which are a weekend, seems a bit stingy.
Security is a 24/7 requirement. People don't stop owning you on the weekend, or after 5pm, or on stat holidays, etc. A responsible vendor will have their people working overtime, all night, over the weekend, through <insert holiday here> to close security holes. (and if you're thinking about that saying this is unfair don't bother. We all know, sometimes too well, that software companies have no problem making their developers work stupid hours to meet product shipping deadlines.) IMHO giving a vendor a whole 10 minutes to fix things is _doing them a huge favor_. It was the vendor who screwed up in the first place and as a whole I think we (users who are concerned with security) cut them way too much slack for this. Sadly, I think that with Oracle it's better to get the stuff out on bugtraq right away than bother with thier internal procedures. If there's an overflow in some little helper program that comes with Oracle it's far better for the admin to make a special group for it and set permissions so that only certain trusted users can run it, or just remove the setuid bit. I posted a minor issue with their installer (with a good workaround) to bugtraq a while back and it took more than 2 weeks for someone there to say anything to me about it. At the time they had no security mailing list. I was told by their head security person that I would be informed when there was one. I haven't been. I still don't even know if they have such a list. Moreover, Oracle has never made an effort to inform their customers about security problems. I guess we're just expected to know somehow. Why isn't there a big section on technet for security patches? If there is, someone give me the URL. Anyway, we all know that giving people shells on your database box is just asking for it right? and if you have to it's best to remove all the setuid bits from the programs you don't use.. all standard procedure for hardening a system. (I know I really singled out Oracle here, but they're not the only company I can think of that acts like this.. and I still think Oracle makes a great database product.) ksoze
Current thread:
- Re: BUGTRAQ] vulnerability in Connection Manager Control binary in Oracle Chris Calabrese (Nov 21)
- Re: BUGTRAQ] vulnerability in Connection Manager Control binary in Oracle ksoze (Nov 22)