A set of buffer overflows in the XML component of Oracle Corp.'s 9i database makes it highly vulnerable to attack...
through a company intranet portal. Oracle is urging customers to immediately patch the vulnerabilities and to avoid connecting the database to the Internet until they have done so.
The vulnerability has the potential to allow an attacker complete control over data stored in the database. That means attackers could cause a denial-of-service attack or even capture a live 9i user session, according to the information Oracle has provided its customers.
Security expert Aaron Newman, chief technology officer at New York-based Application Security Inc., said that 9i users should not assume they are safe just because they have not connected their database to the Internet. Potential attackers are not limited to authenticated users, Newman said.
"Things often get by firewalls," Newman said. "I'm telling clients to first do the workarounds and then install the patches. I always like to do the workarounds first."
This week's 9i vulnerability is not as serious as the one Oracle users were introduced to three weeks ago, Newman said. The XML vulnerability only affects customers using Oracle 9i version 2.
"Last month's vulnerability affects nearly all the versions of Oracle," Newman said "Honestly, not that many people are even using Oracle 9i version 2 yet. People don't have it in production yet."
Newman said that many Oracle 9i customers are still coping with last month's database vulnerability. "One of the problems is that you get a patch from Oracle, and it's very difficult to install, and a lot of [the] time it could break a lot of the features," he said.
"The vast majority of clients I see, they are really almost security naÏve. Chances are that 80% of them have not applied the basic security patches."
FOR MORE INFORMATION
Check out a Featured Topic on .
To provide your feedback on this article, contact Ellen O'Brien.