Re: [ISN] 34 flaws found in Oracle database software

From: InfoSec News (isn@private)
Date: Tue Aug 10 2004 - 22:40:55 PDT


Forwarded from: chris <chris@private>
Subject: Re: [ISN] 34 flaws found in Oracle database software 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I attended this presentation and it is true that Dave did not do any zero 
days.  It was, however an incredible presentation on SQL 
injection/queries.  In addition, due to A/V technical difficulties, Dave 
spent the first 20 minutes of the talk doing a Q&A with the audience on 
Oracle/SQL vulnerabilities that was worth the price of admission all by 
itself.  He started the presentation after the A/V guys got the projectors 
working.

The room was packed to capacity, SRO, and as far as I could tell no one 
walked out.  My guess is that Jaikumar Vijayan did not attend the talk.


Chris



On Mon, 9 Aug 2004, InfoSec News wrote:

> Forwarded from: security curmudgeon <jericho@private>
>
> [Few comments on this article..  -jericho]
>
> : http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html
> :
> : By Jaikumar Vijayan
> : AUGUST 03, 2004
> : COMPUTERWORLD
> :
> : Oracle Corp. will soon issue patches to fix 34 different vulnerabilities
> : in its database software that were disclosed to it early this year by a
> : British bug hunter.
>
> Thirty four is a lot.. perhaps Oracle could stand to hire some audit
> talent.
>
> : "They include buffer overflows, SQL injection issues and a whole range
> : of other minor issues," said Litchfield, who discovered the flaws. He
> : said that he reported them to Oracle in January and February.
>
> Seven to eight month turnaround time... chalk that up to "regression
> testing"?
>
> : Oracle confirmed the existence of the flaws, which were discussed
> : publicly at last week's Black Hat security conference in Las Vegas, but
> : did not offer any further comment. In an e-mailed statement, a company
> : spokeswoman said that Oracle had fixed the flaws and would issue a
> : security alert "soon."
>
> http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html
>
>  All New 0-Day
>  David Litchfield, Founder, Next Generation Security Software
>  This presentation will be entirely new and never seen before. Code
>  included.
>
> Yet on the BlackHat CD provided, there is no bh-us-04-litchfield.pdf
> set of slides (with or without 0-day). I also heard in passing that
> Litchfield told the audience first thing that there would be no 0-day
> disclosure, instead there would only be generic SQL injection
> discussion.
>
> Can anyone confirm this? If true, did Jaikumar Vijayan not attend the
> talk and write this based solely on the schedule?
>
>
>
> _________________________________________
> Help InfoSec News with a donation: http://www.c4i.org/donation.html
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBF5NsOyWtx0MtxawRAuQCAJ9B4mnQ0lp/YXj3jSnxiK61qVFYYwCgldvf
CTLBJAMss2WMe6UtE3ImPDs=
=oU+A
-----END PGP SIGNATURE-----



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Wed Aug 11 2004 - 00:42:40 PDT