Oracle's latest security update may fix more than 30 flaws in its software, but it leaves Oracle databases vulnerable to a zero-day attack, according to a security researcher.
The problem is with a small package called DBMS_EXPORT_EXTENSION, whose problems go back to the spring of 2004, according to David Litchfield of Next Generation Security Software (NGSS). Despite repeated attempts to patch the package, Oracle has failed to address all its reported bugs, according to Litchfield.
On Wednesday of last week, on the same day that Oracle released the patch, exploit code was published on the Bugtraq mailing list allowing attackers to take advantage of the holes in DBMS_EXPORT_EXTENSION. Researchers had hoped that Oracle's fix had made the exploit ineffective, but that has turned out to be wishful thinking, Litchfield said.
"The patch for 10g Release 2 for April 2006 Critical Patch Update does not contain a fix for the specific flaw that the exploit takes advantage of," Litchfield wrote to the Full Disclosure mailing list. He said the specific flaw related to the exploit was reported to Oracle in February of this year.
"It is incredible how, for such a small package, DBMS_EXPORT_EXTENSION has had so many problems that Oracle have been unable to fix," he said.
Litchfield originally began reporting problems with the package two years ago, and Oracle has released several patches attempting to fix the problems, but Litchfield said the patches have always proved not to be completely effective. "It is unfortunate that Oracle did not take the opportunity to fix the flaws first time around. It is amazing Oracle didn't fix them second time around. It is disgraceful, in my opinion, that they didn't fix them properly third time around," he wrote.
He said admins could revoke the PUBLIC execute permissions from the package to mitigate the risk.
Many security researchers have condemned Oracle for its failure to properly fix numerous problems with its software. In January, Gartner analyst Rich Mogull warned that "Oracle can no longer be considered a bastion of security" after a mega-patch fixing 82 bugs.
Oracle, for its part, has criticized researchers for failing to keep vulnerability information secret until effective patches have been released.