News

Buffer Overflow Flaw in Oracle9i Component

Security researcher David Litchfield found a high risk problem in the form of a buffer overflow vulnerability occurring in a software component that ships with the Oracle 9i database on all platforms.

Oracle has a patch available at its Oracle Metalink site (metalink.oracle.com) under issue number 2581911.

The affected component is called Oracle iSQL*Plus. It is a Web-based application allowing users to query the database. Installed with the Oracle 9i database server, iSQL*Plus runs on Apache.

The buffer overrun occurs at the default log-in screen. By supplying an overly long user ID parameter, a user can overrun a buffer and potentially run arbitrary code in the context of the Web server. On Windows systems that security context is as a System user.

Compromising the Web server can give attackers a platform to launch attacks against the database server, according to a bulletin from Litchfield's company, Next Generation Security Software, Ltd.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

  • Microsoft FastTrack Support Extended to Microsoft 365 Defender Solutions

    The Microsoft FastTrack support program has been extended to Microsoft 365 Defender products for certain qualified subscribers, Microsoft indicated this week.

comments powered by Disqus