|
||
Title: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 21st, 2006, 4:55pm Hi, Take a look at: http://www.argeniss.com/woodb.html regards, Ivan |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 22nd, 2006, 8:31am Hi Ivan, I also saw it yesterday and blogged about it. I don't agree with it, what does everyone else think? cheers Pete |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 22nd, 2006, 1:40pm Someone on Slashdot brought attention to this part of Argeniss' message: Why not the Month of Oracle Database Bugs? We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more. That is stupid. Give all the info you got and hold nothing back. |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 23rd, 2006, 9:26am Hi Marcel-Jan, Thats the point, they don't want to give them away because they also sell 0-days. is it simply an advertising stunt to sell 0-days? cheers Pete |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 23rd, 2006, 10:10am >> I also saw it yesterday and blogged about it. Hi Pete You say in your piece on the Argensiss stunt|event that you have been told that Oracle are getting on top of the security bug situation. So what do you think of David Litchfield's comparison of security Oracle and MS SQL Server? ( www.databasesecurity.com/dbsec/comparison.pdf ) In particular, what to you think of his concluision that Microsoft have made a much better job of integrating secuity into the software development lifecycle? Cheers, APC |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 23rd, 2006, 10:52am Hi APC, I read David's paper a couple of days ago and planned to blog about it. I also saw Alex's comments on the FD list. I agree with what Alex says in that the comparision whilst on the face of it is true, Microsoft have done a better job of security I also see that the reasons for Oracle's worse job is that the playing field is not level in this comparison. MS have less features in the database for one. Most of the Oracle bugs in the database are SQL Injection in packages that run as the definer. If Oracle didn't just fix each bug as its found and instead fixed the underlying issues: o - remove the need for definer rights packages as much as possible o - remove as much dynamic SQL and PL/SQL as possible o - for whats left avoid concatenations where part of the string is passed in and unchecked. USe binds, use dbms_assert o - install a limited set of functionallity by default not everything possible Oracle are working on these issues and are getting better so whilst David might be able to find a security bug in 5 minutes now it should become harder in the lastest code stream soon. cheers Pete |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 28th, 2006, 11:42am David Litchfield's document has also been an item on Slashdot (http://developers.slashdot.org/article.pl?sid=06/11/27/1843226). I was interested to read responses of the Slashdot community. Some say the comparison of simply the number of bugs is flawed. Others point out that Oracle is a more complex product than SQL Server. I wonder if that is really true. But doesn't that mean that Oracle should put even more effort in solving the bugs? |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 28th, 2006, 5:31pm Hi all, Cesar from Argeniss updated his WoODB webpage: [...] We are sad to announce that due to many problems the Week of Oracle Database Bugs gets suspended. We would like to ask for apologizes to people who supported this and were really excited with the idea, also we would like to thank the people who contributed with Oracle vulnerabilities. [...] (see http://www.argeniss.com/woodb.html) Regards Alexander -- Red-Database-Security GmbH |
||
Title: Re: Argeniss and 0day Oracle exploits Post by Pete Finnigan on Nov 28th, 2006, 5:46pm With regards to the Oracle vs SQL Server comparision and those that say it's not fair - is it fair to compare IIS with Apache? I think most would say yes but the situation is exactly the same as the RDBMS comparision. One is more featured than the other. But features equals attack surface which is why MS learnt their lesson for IIS 6 - features are not enabled by default. Oh - and how many flaws have been patched in IIS6 since 2003? Just 2 - 1 remote code execution (ouch) and 1 DoS. Besides, when you get down to it SQL Server 2005 is as featured as Oracle. Cheers, David |
||
Title: Oracle default Wallet Post by Pete Finnigan on Apr 3rd, 2007, 5:59pm People, how come i change the Oracle wallet default (ewallet.p12) without Infraestructure, in order to generate other with the same encoding(Des3, base64). I already did it, with orapki, but when i try to connect throug the firefox, it tell me, that the server and the firefox, don`t have the same codification. |
||
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |