In-Depth

Vulnerability Roundup

Last week, Oracle released a critical patch update for a SQL attack vulnerability that could give local attackers administrator-level privileges, and Apple patched Windows and Apple OS versions of QuickTime. Meanwhile a new report finds online attacks are hitting the bottom line.

• By Mathew Schwartz
• 01/24/2006

Oracle Releases Critical Patch Update

A newly disclosed vulnerability in Oracle’s 8i, 9i, and 10g database servers could allow basic users to gain unrestricted database access.

“By exploiting the flaw, any database user with minimal privileges can assume the role of database administrator. Moreover, any activity performed by the user while exploiting this flaw is not recorded by the database server’s built-in auditing mechanisms,” security vendor Imperva notes in a statement. Imperva says it discovered the flaw and notified Oracle in October 2005.

How does the flaw manifest? As Imperva notes, Oracle database security hinges on a user authenticating with a username and password. Yet “during the login process an Oracle user with no more than ‘create session’ privileges can execute commands in the context of the special database user ‘SYS.’ This grants any user the highest administrative privileges possible.”

The flaw stems from the fact that in the second of two different client and server requests during which a username and (obfuscated) password are communicated, various client attributes are also sent. In particular, one variable (‘AUTH_ALTER_SESSION’) telegraphs locale and language preferences. According to Imperva, however, “it turns out that this value can contain any SQL statement,” which would then get executed with SYS-level privileges, skirting normal access control restrictions. “In particular, the attacker can create a new database account and create DBA privileges [for] the new account.”

Oracle’s latest critical patch update fixes the problem. While Oracle has known about the problem for several months, it only releases critical patches quarterly. According to Imperva, “this is a major vulnerability and the three months between the problem’s discovery and the release of a fix highlights a serious concern about relying solely on database vendors’ patches for an enterprise’s defense against database attacks.”

Apple Patches Multiple QuickTime Vulnerabilities

Apple QuickTime 7.x, which plays digital media and is built into Apple OS X, has a number of “highly critical” vulnerabilities, says vulnerability information provider Secunia.

In particular, multiple vulnerabilities in the product—for both Apple versions, as well as Windows 2000 and Windows XP versions—could give an attacker remote access to a system or facilitate a denial-of-service attack.

According to Secunia, “A boundary error in the handling of QTIF images can be exploited to cause a heap-based buffer overflow. This may allow arbitrary code execution when a malicious QTIF image is viewed.” Note the same vulnerability exists for other media files, plus there are further flaws stemming from boundary and/or integer overflow and underflow errors in the way QuickTime handles TGA, TIFF, and GIF image files.

To fix the flaws, Apple released QuickTime 7.0.4.; it recommends upgrading immediately. That said, some users are reporting difficulties with the latest version, leading Apple to issue a tool for rolling 7.0.4 back to 7.0.1, at least for OS X users.

Continuing Attacks Hit Companies’ Bottom Line

Half of all companies say they’ve experienced online attacks, and 21 percent of those attacks have caused more than $100,000 in damages each. Yet one in 10 attacks wreaks over $500,000 in damages.

Those findings come from the first-ever “Enterprise Security Survey,” recently conducted by Top Layer Networks. According to the survey, almost 60 percent of companies increased their information security product spending from 2004 to 2005, due especially to newer, faster threats, plus regulations. In particular, two-thirds of respondents must comply with at least one government regulation covering IT security, such as HIPAA, the Gramm-Leach-Bliley Act, or Sarbanes-Oxley.

Many security managers, however, still don’t feel that their networks are safe. According to the survey results, “35 percent feel that their existing security infrastructure does not offer adequate protection of their servers, and 38 percent feel that existing security infrastructure does not offer adequate protection for their desktops.”

Some organizations still overlook security best practices. For example, according to the survey, one quarter of organizations don’t have an official IT security policy, though almost half of organizations hedge by claiming they have some kind of IT security policy at least in the planning stages.

Related Articles:

Q&A: The Future of Security, Control, and SOX Compliance
http://www.esj.com/news/article.aspx?EditorialsID=1577

Q&A: Security Policy Best Practices
http://www.esj.com/Security/article.aspx?EditorialsID=1307