DB2 Flaws Highlight Vulnerability Concerns

 
 
By Lisa Vaas  |  Posted 2003-10-06 Email Print this article Print
 
 
 
 
 
 
 

IBM has patched recently uncovered security vulnerabilities in its DB2 Universal Database, but the process it followed has left some security researchers wondering if the company is too tight-lipped on the subject.

IBM has patched recently uncovered security vulnerabilities in its DB2 Universal Database, but the process it followed has left some security researchers wondering if the company is too tight-lipped on the subject.

One researcher is security company Application Security Inc., which last week found two holes in DB2. These follow two major vulnerabilities, reported Sept. 17, that enable root privilege on vulnerable servers.

Patches have been posted for the vulnerabilities, but what worries Aaron Newman, chief technology officer of ASI, in New York, is that a handful of researchers knew about the two major vulnerabilities a year ago, long before patches were released.

A spokeswoman for IBM, of Armonk, N.Y., said that the company takes security very seriously and that the vulnerabilities did not affect customers. Indeed, some DB2 users shrugged off the holes, saying that securitys only as good as the administrators managing the servers.

"The security is going to be as good as your personnel are, your standards and your procedures," said Michael Dempsey, director of database administration at UNC Health Care, in Chapel Hill, N.C.

DB2 is unlikely to be hit with Internet-slowing hacks such as the Slammer worm, which struck Microsoft Corp.s SQL Server database early this year, ASIs Newman said. Rather, the danger is from a savvier breed of attack: a targeted one that goes after salable data, as opposed to destructive attacks such as Slammer.

"[An Internet-borne virus such as] Slammer isnt the real danger with database vulnerabilities," Newman said. "The real danger is theres a buffer overflow out there that people arent patching because theres no Slammer worm out there. I dont think worms are what people should worry about. They should worry about targeted attacks meant to steal data."

Mark Rowe, an IT security consultant at PenTest Ltd., in Manchester, England, said theres good reason IBM keeps quiet when vulnerabilities arise. Namely, DB2 runs on so many platforms, from Unix and Linux to mainframe flavors, that it takes a long time to fix them all.

"Theyve got so many platforms theyve got to cater to," Rowe said. "The fix process takes a long time to go through and fully test."

Meanwhile, disclosing vulnerabilities just puts systems at risk, Rowe said. PenTest itself last week reported DB2 vulnerabilities that the company discovered in November. As soon as a fix came out in IBMs FixPak 10a, the security company deemed it safe to release the news, Rowe said.

 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel