Josh pointed me at a new news article written by Shawna McAlearney this evening titled http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1115321,00.html - (broken link) OPatch, wherefore art thou? that was published yesterday 15 August 2005. This is an interesting article that talks about the issues of the recent patches that do not work or patches that are incomplete - e.g. fixes that are supposed to be fixed are in fact not.
The article features comments from David Litchfield and makes a good point about regulatory requirements to apply security patches promptly. He also mentions that he will soon release a paper on problems with using OPatch, Oracles patch application tool and also its tool for verifying the patch level of a database. He goes on to discuss the problems of incomplete patches, patches that fail to fix the flaws, the problems with not running post installation procedures, problems with OPatch not updating the registry properly and a problem with rolling back patches where the patch is removed but the inventory is not updated. This leads to the situation where a database looks to be patched but in fact it is not.
This looks like it will be a very interesting paper when released. This article also starts to raise serious worries about the state of the Oracle patching process and tools.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Is it just me or is Orablogs not reachable again?"] [Next entry: "My site and Blog are available again"]
August 2005
- Demystifying MS SQL Server & Oracle database server security - 08/01/2005 by 08/01/2005
- 10g Release 2 is available for download for Windows - 08/04/2005 by 08/04/2005
- Database Vendors Shouldn't Kill the Messenger - 08/05/2005 by 08/05/2005
- 10gR2 the CONNECT role has finally been sanitized - 08/06/2005 by 08/06/2005
- slashdot discussion about Mary Ann Davidsons recent news article - 08/08/2005 by 08/08/2005
- Oracle simplifies SOAs - 08/09/2005 by 08/09/2005
- Hashattack - Oracle password tool update to version 2.0 - 08/11/2005 by 08/11/2005
- Prime number researchers put encryption algorithms such as RSA at risk - 08/12/2005 by 08/12/2005
- The rise of Oracle blogging - 08/14/2005 by 08/14/2005
- Two excellent papers on a new method to combat parameter validation and SQL Injection - 08/15/2005 by 08/15/2005
- OPatch, wherefore art thou? - 08/16/2005 by 08/16/2005
- My site and Blog are available again - 08/17/2005 by 08/17/2005
- Doug talks again about ? and catpatch.sql - 08/18/2005 by 08/18/2005
- Radoslav Rusinov's Blog and mod_plsql passwords in clear text - 08/19/2005 by 08/19/2005
- Red Database Security has released a standalone Oracle password cracker - 08/22/2005 by 08/22/2005
- A second thread on c.d.o.s. about the Oracle password algorithm - 08/23/2005 by 08/23/2005
- A perl script to brute force database connections - 08/24/2005 by 08/24/2005
- Full disclosure list: Summary of the password algorithm and a C code plug-in for John The Ripper password cracker - 08/25/2005 by 08/25/2005
- Alex has released version 1.1 of Checkpwd - the Oracle dictionary password cracker - 08/26/2005 by 08/26/2005
- 1.02 Million hashes/second Oracle dictionary and brute force password cracker available - 08/27/2005 by 08/27/2005
- A career change and some site revamping - 08/29/2005 by 08/29/2005
- Alex has added a page to compare the available Oracle password crackers - 08/31/2005 by 08/31/2005
Archives
Syndication
Powered by gm-rss 2.0.0
