Pete Finnigan's Oracle Security Weblog

Cesar Cerrudo spoke at the recent Blackhat Federal conference in Washington with a paper titled "Practical 10 Minute Security Audit: The Oracle Case" which describes how to soend 10 minutes and a few free tools to find at least 5 local 0-days in Oracle. These tools are Process Explorer, WinObj from SysInternals and pipaclTools from bindview. Cesar also includes a white paper of the same name and also an Oracle exploit. The paper is not bad, the bugs are all local so exploiting them would be limited to those with local access and as I said the other day they are all related to NULL DACL issues which David spoke about on the Oracle-L list last year and also in his recent book.

The value in the presentation though is the fact that free tools can be still used to find security bugs in Oracle (and indeed in any software), this indicates that the battle is not over by any means for Oracle, they may be on top of the SQL Injection to some extent but they need to make headway on the core issues in the software. I wonder if Fortify finds these types of issues?