Forwarded from: chris <chris@private> Subject: Re: [ISN] 34 flaws found in Oracle database software -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I attended this presentation and it is true that Dave did not do any zero days. It was, however an incredible presentation on SQL injection/queries. In addition, due to A/V technical difficulties, Dave spent the first 20 minutes of the talk doing a Q&A with the audience on Oracle/SQL vulnerabilities that was worth the price of admission all by itself. He started the presentation after the A/V guys got the projectors working. The room was packed to capacity, SRO, and as far as I could tell no one walked out. My guess is that Jaikumar Vijayan did not attend the talk. Chris On Mon, 9 Aug 2004, InfoSec News wrote: > Forwarded from: security curmudgeon <jericho@private> > > [Few comments on this article.. -jericho] > > : http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html > : > : By Jaikumar Vijayan > : AUGUST 03, 2004 > : COMPUTERWORLD > : > : Oracle Corp. will soon issue patches to fix 34 different vulnerabilities > : in its database software that were disclosed to it early this year by a > : British bug hunter. > > Thirty four is a lot.. perhaps Oracle could stand to hire some audit > talent. > > : "They include buffer overflows, SQL injection issues and a whole range > : of other minor issues," said Litchfield, who discovered the flaws. He > : said that he reported them to Oracle in January and February. > > Seven to eight month turnaround time... chalk that up to "regression > testing"? > > : Oracle confirmed the existence of the flaws, which were discussed > : publicly at last week's Black Hat security conference in Las Vegas, but > : did not offer any further comment. In an e-mailed statement, a company > : spokeswoman said that Oracle had fixed the flaws and would issue a > : security alert "soon." > > http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html > > All New 0-Day > David Litchfield, Founder, Next Generation Security Software > This presentation will be entirely new and never seen before. Code > included. > > Yet on the BlackHat CD provided, there is no bh-us-04-litchfield.pdf > set of slides (with or without 0-day). I also heard in passing that > Litchfield told the audience first thing that there would be no 0-day > disclosure, instead there would only be generic SQL injection > discussion. > > Can anyone confirm this? If true, did Jaikumar Vijayan not attend the > talk and write this based solely on the schedule? > > > > _________________________________________ > Help InfoSec News with a donation: http://www.c4i.org/donation.html > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBF5NsOyWtx0MtxawRAuQCAJ9B4mnQ0lp/YXj3jSnxiK61qVFYYwCgldvf CTLBJAMss2WMe6UtE3ImPDs= =oU+A -----END PGP SIGNATURE----- _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Wed Aug 11 2004 - 00:42:40 PDT