[Sunnet Alert] Advisory #225 - Oracle, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Thu Apr 19 23:10:03 EST 2007 

Sûnnet Beskerming Alert List Advisory #225

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Oracle (Multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 2 Days
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	BlackBerry Outage Highlights Risks Of Single Supplier
2.2	Does Your System Management Mean Jail Time For Users?
=====================================

1.	SECURITY

1.1	Oracle (Multiple) - Remote Hacker Automatic Control

	-- Products Affected --
	Oracle Database 10g
	Oracle9i
	Oracle Secure Enterprise Search
	Oracle Application Server
	Oracle 10g Collaboration Suite
	Oracle E-Business Suite
	Oracle Enterprise Manager 9i
	Oracle PeopleSoft PeopleTools
	Oracle PeopleSoft HCM
	JD Edwards EnterpriseOne Tools
	JD Edwards OneWorld Tools

	-- Technical Description --
	Numerous vulnerabilities affecting the above listed products (and  
various versions of those products), ranging from serious arbitrary  
remote code execution (on Windows platforms and in Oracle9i  
Databases) through to denial of service and information theft.   
Detailed technical advice on attacking listed vulnerabilities has  
already appeared on various security mailing lists.

	-- Description --
	Oracle has released the Critical Patch Update for the January -  
April quarter, with numerous critical vulnerabilities being patched  
with this update.  The most critical vulnerabilities could allow a  
remote attacker to take complete control of a vulnerable Windows  
system that has certain Oracle software installed.  Other  
vulnerabilities, though not as serious, could still allow attackers  
to prevent legitimate use of the software, or steal sensitive  
information from within the software.  The next Critical Patch Update  
for Oracle is scheduled for July 17, 2007.

	-- Recommended Action --
	Apply the patches available from the Oracle site as soon as possible.

	-- Source --
	(Paid subscription required to access)
	
	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	-	-  (Nil)
	Corporate	9	10 (Critical - Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	BlackBerry Outage Highlights Risks of Single Supplier

A system failure at Research In Motion, the creator of the ubiquitous  
BlackBerry handheld email device, left their North American customers  
without email coverage for extended periods on Tuesday night this  
week.  Dubbed 'Crackberry', for the seemingly-addictive behaviour  
associated with continually checking emails that BlackBerry owners  
seem to develop, the outage was sure to have given plenty of  
overworked thumbs a rest - if only for a little while.

However, anxiety from not being able to check email is likely to have  
caused problems.

While it is an annoying outage for BlackBerry users, it does  
highlight the risks associated with single supplier / single point of  
failure systems.  Some commentators have suggested that the continual  
drive for cheaper networked consumer electronics means that systems  
are being developed without redundancy built in.  Even though this  
system failure was compounded when RIM were attempting to get their  
backup location online (test, test, test, and test again), the  
pointless bureaucracy of various government departments meant that  
emails notifying users of the BlackBerry outage were being sent to  
their BlackBerries, even though it wasn't possible for the  
information to get through.


2.2	Does Your System Management Mean Jail Time For Users?

Following the change to Daylight Savings Time in the US, not all  
systems were successfully updated to reflect the changed date for the  
changeover.  Unfortunately for one high school student, the fact that  
his school's systems had not all been updated meant that he spent 12  
days in prison for a bomb threat that he did not send.

Even though the call that he had placed to the school was more than  
an hour ahead of the actual bomb threat, when the school's systems  
were updated after the fact, the unlucky student ended up being  
accused, then jailed, after the timestamp of the bomb threat appeared  
to coincide with the student's call (even though it was still several  
minutes out).  Compounding the problem was public statements from the  
school Principal that the student's denial (for having made the call)  
was irrelevant, as criminals lie.

An accurate, well-maintained system would have meant that such a  
situation would not have taken place - timestamps would correlate  
with the actual calls being made, irrespective of the timezone  
change.  While the student has been released from his imprisonment,  
many expect that the school system and local law enforcement will  
have a very expensive burden in the near future from anticipated  
lawsuits.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list