Well-known attention hound David
Litchfield is saying that the sky is falling again, this time
claiming that he has
discovered a new way to remotely hack an
Oracle 11g database.
His latest vulnerability would only be a
problem for an reckless or incompetent DBA. somebody who leaves the
default permissions and does not lock-down their environment.
David's Litchfield’s “Zero
day remote hack”, recommends a workaround that revokes
the default public
grants privileges from dbms_jvm_exp_perms, dbms_java and
For Litchfield to note that using
Oracle's the out-of-the box defaults will cause an exposure is
common knowledge, and it's hardly newsworthy.
been chastised by Oracle Corporation many times for his nonsensical
and outlandish claims, and this one is no different, it’s all
nonsense. The “exploit” he talks about is a DBA-101 issue that
no qualified DBA would allow.
At one time,
Litchfield called for the resignation
of the chief of Oracle security, making headlines all
over the world, in a failed attempt to hurt Oracle's reputation as
the world's most secure database platform.
Aiding and abetting criminal?
In one case where David Litchfield did
find a real security vulnerability, he published the
exploit before Oracle could patch the problem,
exposing thousands of Oracle customers.
In some jurisdictions, publishing instruction for unlawful
acts is considered
aiding and abetting criminal activity and
this outrageous act promoted a
response Oracle Corporation, about these “black hat” vulnerability
“I find those trafficking in
nonpublic exploits morally reprehensible”.
- Mary-Ann Davidson, CTO, Oracle Corporation
Corporation says that these "black hat" vulnerability
clubs are "selfish", "irresponsible", "morally reprehensible" and
"dangerous", especially when they
openly publishing instruction on how-to hack into Oracle databases:
"A few hours after Litchfield went
public with a technical description of the flaw, including a
blow-by-blow demonstration of ease in which an attack could occur,
Oracle lashed back, accusing the British researcher of putting its
customers at severe risk for selfish, irresponsible reasons...
Even as he downplayed the severity of
the flaw, Harris said Litchfield's decision to go the way of
"irresponsible disclosure" was a "dangerous thing to do."
While it’s possible that a naïve or stupid DBA might forget to
lock-down their public grants, this alert does not apply to the vast
majority of Oracle shops.