Database flaws more risky than thought

Newly released details of flaws found earlier in Oracle and IBM databases have some security firms worried.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
Details of multiple security flaws in Oracle and IBM databases have been released by the security company that found them.

The flaws, which were described in general terms in August and September by Next-Generation Security Software, could allow an attacker to remotely compromise servers running the database programs. Security company Symantec raised its Internet threat rating of the flaws to 2 from 1, based on the details released on Thursday.

NGSSoftware gave users of the databases more than three months to fix their systems when it announced its discovery of the flaws. Oracle has already released patches for the 10 vulnerabilities affecting its 9i database, and IBM has issued fixes for two flaws in DB2 versions 7 and 8.1.

"Some of these are more serious than others," said David Litchfield, a security researcher and co-founder of U.K.-based NGSSoftware. "Most of these vulnerabilities can be exploited remotely."

The advisories can be found on NGSSoftware's Web site.