Full Disclosure mailing list archives
Re: Three years and ten months without a patch
From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 16 Nov 2005 14:20:19 +0000
On Wed, 2005-11-16 at 10:19 +0100, Marco Ermini wrote:
On 11/15/05, InfoSecBOFH <infosecbofh () gmail com> wrote:So why not start teaching some lessons David and release exploit code. It seems that is the only way they learn and take thing seriously.Rarely this software did not run in a what is considered "secured" environment - I mean, this is rarely exposed on Internet/DMZs. Usually Oracle DB (especially these older versions which didn't have so much web application software) are used just as database back end, which communicates with DMZs through multiple firewall levels (I am not justifying them in any way, I am just guessing why they may not care so much). Security is considered often not important - especially if you can "inexpensively" upgrade to a 9.x or 10.x or 11.x software version which "never breaks"...
Are we forgetting slammer ? A worm that attacked a product which you would expect to be used in a similar way. Backend or not, the system should be patched, being backend is not a justifiable reason for not patching the system. Ignoring the fact that these systems are commonly open to the net you also ignore, injection of commands from a front end web server being carried backwards and what about the local user ? I work in a few environments where a DBA should not be allowed access to the OS at any point other than to query the DB. A vulnerability such as this in the software in use would have serious consequences in that situation. Believing this would be a very narrow view of security and we all know security is far from something to be viewed like that. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
Attachment:
smime.p7s
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Three years and ten months without a patch David Litchfield (Nov 15)
- Re: Three years and ten months without a patch InfoSecBOFH (Nov 15)
- Re: Three years and ten months without a patch Marco Ermini (Nov 16)
- Re: Three years and ten months without a patch Barrie Dempster (Nov 16)
- Re: Three years and ten months without a patch Marco Ermini (Nov 16)
- Re: Three years and ten months without a patch Marco Ermini (Nov 16)
- Re: Three years and ten months without a patch InfoSecBOFH (Nov 15)