Oracle

Last summer, I wrote about my concerns with regards to fourth-generation rootkits and their supposed beneficial intentions.  Now that the same approach is being applied to Oracle databases, I ask again:  isn’t there a better way?

A security researcher recently announced that he has created a better “rootkit” for Oracle that improves upon the earlier version unveiled last year at the Black Hat Conference in Amsterdam.&nbps; This new version makes it more difficult for database administrators and security professionals to locate the rootkit.  Supposedly, this is all being done to underscore the vulnerabilities and flaws in the Oracle database (and, to a lesser extent, Microsoft SQL Server, IBM DB/2, and others).

Isn’t there a better way?  As IT professionals—whether we be security experts, database experts, or networking experts—we ought to be able to find a way to openly discuss security flaws and vulnerabilities without actually creating tools for exploiting them.  Now what’s going to happen when this “rootkit” (my definition of rootkit is a bit more stringent than the one used in the referenced eWeek article) falls into the wrong hands and is used to steal hundreds of thousands of credit card numbers from a leading financial institution?  What if it was YOUR financial institution that was compromised using this tool?  Would you still be in favor of this approach then?

I suppose that’s the real value behind open source software; the flaws and vulnerabilities are out there for anyone to see in the source code itself.

Over this past week, a wide collection of vendors have released patches for various vulnerabilities and flaws in their applications.  Here’s a quick recap of some of the security patches released this past week.

• Oracle:  Oracle released patches for more than 100 flaws in their database and application server products.
• Symantec/Veritas:  Symantec released patches for its NetBackup application (acquired with Veritas) after exploit code was released on the Internet.  It does not appear that this flaw also affects the more-popular Backup Exec application.
• “Do It Yourself” Trojan Builder:  Sunbelt Software claims to have uncovered a do-it-yourself Trojan builder that allows unsophisticated crackers to build applications for identity theft and fraud.  Does this signal a new era for the “script kiddie”?

Of course, this list doesn’t include the patches from Microsoft that were released last week, which included fixes for two ‘critical’ e-mail server flaws.

As usual, the activity in software patching is another reminder that we must continue to be vigilant in the construction and maintenance of our networks.