Breakable A U.K. security expert is preparing to unveil a trove of serious vulnerabilities in Oracle's database products. Can the company redefine 'unbreakable' in time? By Kevin Poulsen Jan 16 2002 1:26AM PT http://www.securityfocus.com/news/309 [...] Making matters worse for Oracle, it turns out that those holes were little more than a prelude to a suite of at least seven vulnerabilities currently in the company's patch pipeline -- all of them discovered by Litchfield last fall. Assuming fixes are available in time, Litchfield plans to present the holes at a security conference in early February, including details of serious bugs that allow attackers to both "break it" and "break in." "They range from buffer overflows, to something in the way Oracle communicates with different components," says Litchfield, lead designer and developer at NGSSoftware. "We can actually interject ourselves in between that communications process and run commands as SYSTEM on Windows NT or 2000. If it's running on a Unix system, we can run commands as the Oracle user remotely... So it's obviously very serious." <snip>
