Hello, Please note that Oracle has updated the extproc buffer overrun advisory. There was some confusion caused because the intial Oracle advisory stated that a username and password were required to exploit the overflow which was contrary to the results of our research; we concluded that no user ID or password was necessary. Whilst I answered many of the mails querying this discrepancy, for those that I did not have a chance to reply to, please accept my apologies. The updated Oracle can be found here : http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf . In summary, Oracle 9i Database Release 2, Oracle 9i Database Release 1 and Oracle 8i Database (8.1.x) are all vulnerable and that "Risk to exposure is high, as a valid username and password is not needed in all cases to exploit this potential vulnerability." Cheers, David Litchfield NGSSoftware Ltd http://www.nextgenss.com/ +44(0)208 401 0070 NGSSoftware's SQuirrel for Oracle, an advanced security audit tool for Oracle, checks for these vulnerabilities. More information is available from http://www.nextgenss.com/products/squirrelfororacle.htm .
