New Security Risks Hit Oracle | eWeek

New Security Risks Hit Oracle

Verfasst von
Paul F. Roberts
Paul F. Roberts
Nov 7, 2005
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Enterprise IT managers who are still knee-deep in patches from Oracle Corp.s last quarterly Critical Patch Update have more to worry about after an unknown individual last week posted on a security discussion list source code for a worm that spreads among Oracle databases.

The worm is the first ever developed for an Oracle platform and is considered a low security risk. However, the worm calls attention to loose security practices that are still common on Oracle platforms and comes amid word from one security researcher of more than 250 unpatched holes in the Redwood Shores, Calif., companys Database 10g.

The code for the Voyager Beta worm was released on the Full Disclosure discussion list Oct. 31 by an unknown contributor. The worm appeared in a message with the subject “Trick or treat Larry,” an apparent reference to Oracle CEO Larry Ellison.

Voyager Beta does not exploit security vulnerabilities in the Oracle code but capitalizes on insecure configurations, said Alexander Kornbrust, CEO of Red-Database- Security GmbH, in Frankfurt, Germany, and an expert on Oracle security.

Currently, Voyager Beta must be placed on Oracle systems by a database user and manually started. Once launched, the worm scans for other Oracle databases on the same network subnet and then uses a feature called private database links to connect to those databases using a series of default user names and passwords. Voyager Beta creates a blank table, called X, on remote database servers it infects—a harmless act that could be replaced with a more destructive payload, Kornbrust wrote in an analysis.

The security hole does not require a patch from Oracle, but database administrators should change the default password on their Oracle databases if it has not already been changed, Kornbrust said.

Despite an increasing number of warnings about the security of Oracles software, many administrators still leave default configurations in place and dont password-protect key database functions such as the “listener,” a component that manages connections to the database and can allow users to take control of the database if it is not properly secured, he said.

Unlike Windows systems, Oracle database servers could have dozens of services and password-protected accounts enabled.

Oracle has been a focus of criticism in recent months, as independent security researchers such as Kornbrust and Next Generation Security Software Ltd.s David Litchfield have complained that the companys database software is riddled with security holes and that Oracle takes too long to issue patches for the problems.

A recent paper released by researchers at The SANS Institute, of Bethesda, Md., revealed weaknesses in the password protection mechanism in Oracles databases. In just the latest example, Kornbrust said he passed details to Oracle last week on more than 250 SQL injection vulnerabilities in the companys 10g Release 1 database server. Kornbrust said he found the SQL injection holes in just 6 hours using automated vulnerability scanning tools to analyze about 9,000 software packages and functions that are part of 10g Release 1.

The holes are new and are not covered by fixes released in the latest Critical Patch Update. Exploit code that Kornbrust developed for some of the holes gives users basic ownership rights to vulnerable Oracle databases, a critical security hole. Up to 30 percent of the new holes may allow database users to elevate their privileges, Kornbrust said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.