Full Disclosure mailing list archives

Re: Three years and ten months without a patch

From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 16 Nov 2005 14:20:19 +0000

On Wed, 2005-11-16 at 10:19 +0100, Marco Ermini wrote:

On 11/15/05, InfoSecBOFH <infosecbofh () gmail com> wrote:

So why not start teaching some lessons David and release exploit code.
 It seems that is the only way they learn and take thing seriously.


Rarely this software did not run in a what is considered "secured"
environment - I mean, this is rarely exposed on Internet/DMZs. Usually
Oracle DB (especially these older versions which didn't have so much
web application software) are used just as database back end, which
communicates with DMZs through multiple firewall levels (I am not
justifying them in any way, I am just guessing why they may not care
so much). Security is considered often not important - especially if
you can "inexpensively" upgrade to a 9.x or 10.x or 11.x software
version which "never breaks"...


Are we forgetting slammer ? A worm that attacked a product which you
would expect to be used in a similar way.

Backend or not, the system should be patched, being backend is not a
justifiable reason for not patching the system. Ignoring the fact that
these systems are commonly open to the net you also ignore, injection of
commands from a front end web server being carried backwards and what
about the local user ?

I work in a few environments where a DBA should not be allowed access to
the OS at any point other than to query the DB. A vulnerability such as
this in the software in use would have serious consequences in that
situation. Believing this would be a very narrow view of security and we
all know security is far from something to be viewed like that.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Three years and ten months without a patch David Litchfield (Nov 15)
- Re: Three years and ten months without a patch InfoSecBOFH (Nov 15)
  - Re: Three years and ten months without a patch Marco Ermini (Nov 16)
    - Re: Three years and ten months without a patch Barrie Dempster (Nov 16)
    - Re: Three years and ten months without a patch Marco Ermini (Nov 16)