Oracle is developing a patch for a flaw
in its databases after the company accidentally published information about the
bug on the Oracle knowledgebase Metalink last week.
The publication by Oracle raised eyebrows within the security community
because attackers could use the information to exploit the flaw. The database
developer furthermore in the past has been highly critical of hackers who
disclosed information about vulnerabilities before the software maker had had a
chance to release a patch.
"In this case, not only Oracle released detailed information on the
vulnerability; they also included the working exploit code on the Metalink,"
security vendor Red Database
Security noted in an
advisory
on its website.
Oracle has since removed the information from its website. The company had
not, at the time of publication, respond to a request for further information
from vnunet.com.
The reported flaw affects database versions 9.1.0.0 through 10.2.0.3 on all
platforms. It allows users with "SELECT" only privileges to insert, update or
delete data via a specially crated view. For custom applications this
effectively means that low-privilege users now have the ability to alter data.
In some cases they could escalate priviledges and change passwords, Red Database
Security warned.
Red Database Security marked the vulnerability "high risk" because it's
currently unpatched and details have been made available. Security website
Secunia rated the flaw "
less critical" because it requires an attacker to have access to the system.
Do you agree?
Have your say on this article