Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Microsoft, Oracle security flaws found
- From: Howell, Paul
- Date: Sun Dec 23 17:18:47 2001
At http://www.siliconvalley.com/docs/hottopics/microsoft/secur122101.htm
Microsoft, Oracle security flaws found
BY ELISE ACKERMAN
Mercury News
The world's two largest software companies, Microsoft and Oracle, on
Thursday acknowledged embarrassing flaws in major products that could leave
users vulnerable to hackers.
Both Windows XP and Oracle's 9i application server had been heavily marketed
for their security features. Microsoft and Oracle each offered online
patches to fix the problems.
Microsoft admitted Thursday that the newly released Windows XP operating
system, touted as the most secure version of Windows ever, suffered from a
critical vulnerability that exposed any user who connected the Internet to a
possible hijacking of their computer.
Meanwhile, Oracle's so-called ``unbreakable'' 9i application server was
afflicted by a similar vulnerability, known as a buffer overflow, that would
have let an attacker execute remote commands.
``Although we've made significant strides in the quality of the software,
the software is still being written by people and it's imperfect,'' said
Scott Culp, manager of Microsoft Security Response Center. ``There are
mistakes. This is a mistake.''
Hackers who exploited the buffer overflow could do virtually anything on a
user's computer, such as copying information, altering or destroying files,
and even running their own programs on the machine.
Culp said users of Windows XP should ``download the patch immediately and
install it.'' Windows XP allows users to automatically download bug fixes.
Certain configurations of Windows 98 and Windows ME could also be affected.
More details, and the patch, were available on Microsoft's Web site at
www.microsoft.com.
Researchers at a Southern California computer-security company, eEye Digital
Security of Aliso Viejo, said they discovered the vulnerability the day
after Windows XP was released Oct. 25. Since then, at least 7 million copies
of the program have been sold.
Marc Maiffret, who goes by the title of chief hacking officer at eEye, said
he contacted Microsoft about the buffer overflow and other vulnerabilities,
but did not make the problem public until Microsoft had found a way to fix
it.
Though Microsoft has been criticized in the past for releasing computer code
that is easy to break into, Maiffret said XP did represent an improvement
over past products. ``What we found was by no means trivial,'' Maiffret
said. ``The people who wrote the code were doing everything almost
perfectly.''
Maiffret was more critical of Oracle. At the Comdex computer show last
month, Oracle CEO Larry Ellison dared hackers to try to break into his
company's software. Maiffret, a 21-year-old reformed hacker who has
testified before Congress about computer security, said it took eEye
programmers four hours to identify weaknesses in Oracle's programs that
would have exposed users to a problem known as ``denial of service'' attack.
The buffer-overflow flaw in Oracle's 9i application server was found by
David Litchfield of Next Generation Security Software, based in Surrey in
the United Kingdom.
In a statement, Oracle said it had responded as quickly as possible to the
vulnerabilities ``with information, patches and work-arounds that customers
can apply.''
|
