Jump to content
Nytro

Oracle discloses new zero day exploit and launches JDK for OS X

By Nytro, in Stiri securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Oracle discloses new zero day exploit and launches JDK for OS X[/h]by Chester Wisniewski on May 1, 2012

While some might find it amusing that a company accidentally disclosed a zero day vulnerability in its own software, you won't if you are a Oracle database administrator. Earlier this month Oracle released a "critical patch update" fixing 88 vulnerabilities in its wide assortment of database products.

Unfortunately one of the fixes for its TNS Listener service had stability issues and is only going to be fixed in future versions.

Still Oracle saw fit to say it was fixed, even though they have no intention of releasing a patch for it and all current versions remain vulnerable.

This sounds bad enough, but it gets worse. Joxean Koret, who discovered and disclosed the vulnerability to Oracle in 2008 saw the notice that the flaw was fixed and published a proof-of-concept exploit to the Full Disclosure mailing list.

Oracle isn't exactly known for getting security right, but this is downright reckless. Taking four years to fix a serious vulnerability, and even then only committing that future releases, to be named, will fix it?

If you are responsible for securing Oracle DBs I would highly recommend creating extremely restrictive firewall rules for the TNS Listener service, or disable it entirely if it isn't needed in your environment.

java250.jpg?w=250&h=250In other Oracle news, the Java JDK is now available for OS X Lion (10.7).

For Java neophytes, this is not the Java Plugin/Java Web Start components that integrate with your browser to allow you to launch Java applets.

It only works with 64 bit versions of Lion and is intended for development use. Earlier versions of OS X will not see a port coming from Oracle either.

This might be an indication that Oracle intends to supply their own JRE/Java Plugin/Web Start for Mac users in the future, which would make it easier for OS X users to stay current without relying on Apple.

Update: At approximately the same time as this article was posted Oracle released a critical update for versions 10g and 11g database products fixing this vulnerability. Sometimes light is the best disinfectant.

Sursa: Oracle discloses new zero day exploit and launches JDK for OS X | Naked Security

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...