Saturday, September 22, 2012

Oracle database flaw deemed serious, could expose data

CSO by Antone Gonsalves

Some Oracle databases have what experts say is a serious flaw in the login system that a hacker can use to retrieve and change stored data.
The flaw, in Oracle Database 11g Releases 1 and 2Ã'Â leaves the token that is provided by the server before authentication is completed open to a brute-force attack, said Esteban Martinez Fayo, the Application Security researcher that discovered the flaw. If successful, an attacker can gain access to the database.
"An authentication bypass is quite serious," Kevin Mitnick, a well-known white-hat hacker and founder of Mitnick Security Consulting, said in an email. "Basically, an attacker can get to the data stored in the database, and even change it."
The vulnerability stems from the way the authentication protocol protects session keys. When a client connects to the database server, a session key is sent with a salt. Because this happens before the authentication process is finished, a hacker working remotely can link the key to a specific password hash.
"Once the attacker has a session key and a salt, the attacker can perform a brute-force attack on the session key by trying millions of passwords per second until the correct one is found," Fayo toldÃ'Â Kaspersky Lab'sÃ'Â Threatpost blog.Ã'Â
Because the hack occurs before authentication is done, no login failure is recorded in the server, so a person can gain access without triggering an abnormal event.
Oracle, which did not respond to a request for comment, patched the flaw in the latest upgrade of the authentication protocol, version 12. However, the company is not planning a patch for the flawed version, 11.1, Fayo said. Even with the upgrade, database administrators have to configure the server to only allow the new version of the protocol.
Because the fix requires an upgrade, the vulnerability will hound some Oracle customers for years, said Justin Clarke, a security researcher at Cylance.
"There are many large companies and critical infrastructure agencies which cannot afford the time or risk to upgrade all their Oracle clients and servers," Clarke said. "I can say with near certainty that we will see this vulnerability as long as Oracle 11g remains in use."
Previous flaws in Oracle's authentication protocol have been a well-kept secret in the security industry, Clarke said. "It's great to see that issues like this are being discussed publicly, and I hope that this helps serve as a wake-up call for Oracle and its users to dig deeper and assess the actual strength of systems."
Brent Huston, chief executive of security testing company MicroSolved, said even if a company prevents Internet access to a vulnerable database, the data is still at risk of an attack from the inside.
"Oracle's choice to lock this patch to an upgrade really forces the hand of those organizations with longer technology refresh periods and puts a lot of strain on the trust relationships they have with Oracle as a vendor," Huston said in an email.
Because of the vulnerability, customers that haven't upgraded their databases will have to implement some form of protection, particularly if they are subject to oversight by regulators, Huston said.
Fayo discovered the vulnerability after noticing that the client and server handled logins with incorrect passwords differently. A closer examination led to the discovery.
Fayo discussed the vulnerability Thursday at the Ekoparty Security Conference.
Oracle has battled with database flaws in the past. In January, InfoWorld uncovered a manual method to change the system change number (SCN), which could break the database. The SCN is a kind of time stamp for every transaction. If a database reaches its transaction limit, it could stop working properly.
Read more about application security in CSOonline's Application Security section.

Read more »

Apple seeks another $707 million in damages from Samsung

Sep 22, 2012 11:24 am | IDG News Service


A California jury may have awarded Apple more than US$1 billion in damages in late August when it triumphed over Samsung in a hard-fought case over smartphone and tablet patents, but the iPhone maker is coming back for more: late on Friday it asked for additional damages of $707 million.
The request includes an enhanced award of $535 million for willful violation of Apple's designs and patents, as well as about $172 million in supplemental damages based on the fact that the original damages were calculated on Samsung's sales through June 30. Apple wants the supplemental amount to cover the periodfrom July 1 through the date when the case is resolved, which it estimated as December 31, 2012.
In its filing with the U.S. District Court for the Northern District of California Apple also said that if the court decides to review the damage award based on a challenge from Samsung, it also wants an additional $155.8 million for five infringing products where the jury awarded less than the minimum amount calculated by Samsung's damages expert.
Apple also wants either a new trial or amended judgments finding that the iPad and iPad2 design is protected and is infringed by Samsung's Galaxy Tab 10.1, and that a wide range of Samsung phonesinfringe on Apple patents or trade dress.

Read more »

Microsoft patches critical Flash bugs in Windows 8


Sep 22, 2012 09:51 am | Computerworld
Updates IE10's integrated Flash Player with fixes to block ongoing hacker attacks 

by Gregg Keizer

Microsoft on Friday updated Flash on Windows 8 to protect IE10 users from attacks that may have started months ago.
More than a week before, Microsoft had backed away from an earlier position that held it would not patch Flash until late October. Instead, the company promised to update the media player "shortly."
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company mimicked Google's Chrome by building the software into IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
But the Redmond, Wash. developer ran into trouble from the get-go. Although Adobe shipped a pair of security updates in August that patched eight vulnerabilities, Windows 8 RTM, the finished code that began reaching users that same month, lacked those fixes.
One of the eight Flash bugs has been exploited by hackers, perhaps for months. An elite hacker gangknown for finding and leveraging unpatched vulnerabilities has been among those hijacking Windows PCs with the flaw.
Friday's Flash update will be offered to Windows 8 RTM, and to the final public beta, Windows 8 Release Preview. That sneak peak, which users downloaded free of charge, does not expire until Jan. 31, 2013.
Computerworld confirmed that the update boosted IE10's Flash Player to version 11.3.374.7 on Windows 8 RTM. On Friday, Adobe confirmed that that edition contained the patches for the eight vulnerabilities it patched Aug. 14 and Aug. 21.
Yunsun Wee, director of Microsoft's Trustworthy Computing team, also clarified how the company will treat future Flash updates for IE10 in Windows 8.
"On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing," pledged Wee.
Her reference to an Adobe quarterly Flash schedule was odd; although Adobe tries to adhere to an regular cadence for Adobe Reader -- not always successfully -- it has never set something similar for Flash Player.
Thus far during 2012, in fact, Adobe has issued seven Flash updates: One in February; two in March; one each in May and June; and two in August. If Adobe is adopting a quarterly patch process for Flash Player, it has kept that under wraps.
Wee also admitted that Microsoft will need to deliver "out-of-band" updates -- those outside its usual monthly Patch Tuesday -- to keep IE10's and Windows 8's Flash in sync with the Flash plug-ins Adobe maintains for other browsers.
"When the threat landscape requires action outside of Adobe's normal update cadence, ...we will issue updates outside of our regular monthly security bulletin release," Wee said in a Friday post to the Microsoft Security Response Center's blog.
Those out-of-band Flash updates could quickly pile up. If Windows 8 had been available from the start of 2012, in the best circumstances Microsoft would still have had to deliver emergency Flash updates in February, March and August.
Even then, Microsoft would have had to hustle to work the other four Flash updates into its next Patch Tuesday: In one instance, Flash was updated on Patch Tuesday, while in two others, Microsoft would have had just four days to prepare. The fourth Flash update was released eight days before the next Patch Tuesday.
More information on the Flash Update to IE10 and Windows 8 can be found in Microsoft's security advisory.
Windows 8 users can obtain the Flash update via the Windows Update service, as well as through the enterprise-grade WSUS (Windows Server Update Services).
Microsoft's made good on a Sept. 11 promise to patch Windows 8's baked-in Flash Player.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Read more »