Comments on Oracle Vulnerabilities
The Oracle vulnerabilities highlighted in yesterday's diary are a coordinated mass of vulnerabilities reported by the US-CERT. While NGS Research has indicated they will withhold details of their reported vulnerabilities for three months, Application Security Inc. has released sufficient details about the vulnerabilities that could be used to start exploiting Oracle databases immediately.
While Oracle users have often benefited from the lack of full-disclosure in Oracle vulnerabilities in the past, Oracle's recent decision to post monthly vulnerability updates may have changed this scenario. In my experience working with Oracle databases, patching is frequently not an option for customers using third-party products while retaining support, often due to vendors inability to sufficiently test and certify Oracle patches with their products in a timely manner.
Organizations using Oracle are encouraged to implement the Oracle Database hardening recommendations made available by the Center for Internet Security and the well-written "Securing Oracle: Step-by-Step Guide" by Oracle security expert Pete Finnigan. Patch affected databased whenever possible, and limit the expose of systems with restrictive port-filtering and other technologies.
More WinZip Vulnerabilities
Following the 2/27 WinZip vulnerabilities, additional flaws in the popular WinZip software have been reported that could be manipulated to compromise vulnerable systems. WinZip Computing Inc. has released WinZip 9.0 SR1 to address these issues.
Vulnerabilities in very popular third-party software products should be a significant concern for organizations that have not deployed comprehensive patch-management solutions. Configuring systems to automate the process of installing patches for Microsoft products is a welcome feature, but does not adequately address third-party software. Other examples of recent vulnerabilities in third-party software include Adobe Acrobat Reader, Sun Java Runtime Engine and AOL Instant Messenger.
MIT Kerberos Vulnerabilities
Critical vulnerabilities in the MIT Kerberos 5 implementation's Key Distribution Center (KDC) program were reported by the MIT Kerberos team today. Patches are available for affected systems.
Cisco Systems has also posted a vulnerability report indicating that their VPN 3000 series of VPN access concentrators are vulnerable to the Kerberos flaws. Customers are advised to update to mitigate these flaws.
Wireless Compromise Stories
I'm interested in hearing stories from readers who have had their wireless networks compromised for one reason or another in an effort to understand how hackers are exploiting wireless networks. If you have had a wireless network compromised or have caught someone trying to compromise your wireless network, I'd love to hear about it. Please write us at firstname.lastname@example.org or by visiting http://isc.sans.org/contact.php . All stories will be kept confidential unless otherwise specified. Many thanks!
More Weak Password Attacks?
A few readers have reported various password-based attacks against FTP, VNC and Telnet services. We are trying to correlate the source addresses for these attacks with other data sources. If you have logs of multiple failed-authentication attempts for these services, please drop us a line ( http://isc.sans.org/contact.php ). It's not necessary to send logs from failed SSH login attempts, we have plenty of those thanks to our readers.
-Josh "sick as a dog" Wright/Handler-on-Duty
Sep 2nd 2004
1 decade ago