Microsoft Warns Of Conficker Worm Threat
The latest Microsoft Security Intelligence Report (SIR) has complied new data taken from over 600 million systems worldwide, and has found that iterations of...
The State Of IT Security [Infographic]
We all know about threats to the valuable data we store everyday, we hear about them all the time. There's always some anonymous hacker shutting down a website...
Internet Explorer 9.0.6 Now Available, Fixes...
I remember just a few years ago when Internet Explorer was the laughing stock of the browser community. It lacked the functionality that other browsers had while lacking even basic security functions. It's what...
Oracle Offers Workaround After Confusion Leads To Zero-Day Disclosure
By: Trevor Boland
Many software developers offer bounty programs for their products. The concept is that someone finds an vulnerability and notifies the developers of the software for a reward. The point is to dissuade hackers from using the vulnerabilities by offering them something "better"(?).
Of course one would think that, after the vulnerability is turned in and the reward given, the developer would scramble to correct the issue. Oracle seems to have a different process in place.
The vulnerability, rated a 7.5 on the CVSS scale (0-10, 10 being severe), was found by Joxean Koret four years ago. Acting as a man-in-the-middle, the vulnerability allowed remote access to Oracle's 10g and 11g database versions without authentication. Obviously a rather large issue. Oracle seemingly sat on this until it's quarterly security update (2 weeks ago) where it seemingly fixed the bug, even crediting Koret in the "Security-in-Depth" program.
Assuming the vulnerability corrected, Koret published a proof of concept, detailing the methods to using the flaw. After a few follow up emails, however, it turned out that Oracle's intention was to correct the flaw in future versions of it's software. The now published solution can be found here.