Oracle patches high-risk security hole

Researchers at Covert Labs, part of Network Associates' PGP Security group, discovered the vulnerability and ranked its risk as "high." Oracle has acknowledged the problem, fixed it in the newest 9i version of its software and issued a patch for the earlier releases.

"This is a pretty significant vulnerability for Oracle users," said Jim Magdych, security research manager for PGP Security.

The problem occurs in a part of Oracle's database software called the "listener," which handles communications between people using the database and the database itself, Magdych said. The attack works by sending more information than the software expects, a process called a "buffer overrun."

In a buffer overrun attack, the extra characters are written into the computer's memory. A clever attacker can place commands in just the right patch of memory to make the computer's chip run a program that can be used to give access to the attacker, Magdych said.

What the attacker does next varies according to what type of system has been compromised. In the case of the Oracle security hole, the attacker would have access privileges to the database itself, granting him permission to view or change any information in the database.

Oracle runs with very broad powers on a Windows system, so an attacker there would have complete control over the system, Magdych said. Oracle has narrower powers running under the Unix operating system, but the Oracle permission would be a useful foot in the door for further attacks that could lead to complete control, he said.

Covert Labs has a staff of about six scouring software commonly used on the Internet, Magdych said. Earlier this year, the team discovered several serious problems with Berkeley Internet Name Domain (BIND), widely-used software that links a computer's numerical Internet address with its URL.