Archive for August, 2007

Oracle Jinitiator ActiveX control 1.1.8.16 contains multiple Stack Buffer Overflows

Donnerstag, August 30th, 2007

Yesterday the US Cert published an advisory that the ActiveX control of Jinitiator 1.1.18.16 and earlier contains multiple buffer overflows allowing remote code execution. Even a new installation of Jinitiator does not fix the problem because the old, vulnerable control will not be removed. The US Cert recommends to disable ActiveX or to set the appropriate killbit.

Create and execute the following textfile to set the killbit. Additional information about killbits and activeX are available in the following Microsoft support note 240797.

———–killbit.reg—————

    Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9b935470-ad4a-11d5-b63e-00c04faedb18}]
    “Compatibility Flags”=dword:00000400

———–killbit.reg—————

Partnership between Red-Database-Security GmbH and PeteFinnigan.com Ltd.

Dienstag, August 21st, 2007

Red-Database-Security GmbH in Germany and PeteFinnigan.com Limited in the UK are pleased to announce an exclusive partnership to promote and sell services / training and products to give customers the best choices in securing Oracle databases. Pete Finnigan and Alex Kornbrust are both world leaders in the field of securing Oracle databases and this exclusive partnership will provide a stronger combined proposition for customers of both companies. Alex and Pete are pleased to announce an exclusive and exciting limited opportunity to attend a 5 day Oracle Anti Hacker training in London from October 29th to November 2nd. The places are limited so don’t miss this unique opportunity. See www.petefinnigan.com and www.red-database-security.com for more details and to register.“

David’s Whitepaper about Oracle Forensics

Sonntag, August 12th, 2007

David Litchfield just released the 5th part of his Oracle Forensics whitepaper “Finding Evidence of Data Theft in the Absence of Auditing“. He describes how to find traces if the attacker used only SELECT statements.

Oracle 11g is available

Freitag, August 10th, 2007

Oracle 11g is now available for download (Linux so far only).