Oracle patch is holey, says security researcher

Oracle's latest update fails to tackle a database flaw that has already been exploited, a security researcher has warned.

Last week, the business software maker issued its quarterly Critical Patch Update, addressing more than 30 flaws in its software. However, the update for Oracle 10g Release 2 does not plug a hole that allows published attack code to run, according to a message sent to the Full Disclosure security list on Wednesday by David Litchfield, a researcher at Next Generation Security Software.

The exploit, released on the internet last week, isn't for a flaw that Oracle patched but for a new problem. Initially, experts believed it was for one of the patched vulnerabilities.

Intruders could still gain higher privileges on a system via the new flaw in the database's (DBMS) export extension - a component that has been a recurring source of problems, Litchfield wrote.

Other versions of 10g may also be affected, Symantec said in an alert to users of its DeepSight intelligence service.

The security company advised: "We strongly encourage database administrators to revoke public execute permissions for DBMS export extension until an adequate vendor-supplied patch is available for this issue."

Oracle was not available for comment.

Litchfield expressed frustration at Oracle's response to the problem in Oracle 10g Release 2. "This specific flaw was reported to Oracle on the 19th of February 2006," Litchfield wrote.

He went on to give details of other problems related to the issue, which he said Oracle had tried, but failed, to remedy since he first reported them in April 2004.

Security researchers have criticised Oracle for being slow to patch and for not working well with them to fix security holes. In response, Mary Ann Davidson, the business software maker's chief security officer, has said that researchers themselves can be a stumbling block to product security.

Dawn Kawamoto writes for CNET News.com