Security

Another 'critical' flaw, this time from Oracle

A browser plus a bit of knowledge equals access to valuable e-commerce data.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos
CNET News.com

Database software maker Oracle warned customers using the most recent version of its e-commerce program of a flaw that puts their systems at risk.

In a terse but strongly worded released to customers last week, Oracle said a software flaw in its Oracle 11i E-Business Suite and its Oracle Applications 11.0 could let an attacker take control of the database that powers the programs.

"Risk of exposure is high, as any user with browser access and specialized knowledge can exploit" the flaw, Oracle said in the advisory. The company would not provide details. Oracle has released a patch for the problem and urged customers to update their systems.

Security information provider Secunia as "highly critical," its second highest rating.

The vulnerability was discovered by Stephen Kost, chief technology officer for , a company focused on creating software to secure critical corporate applications. Integrigy's own advisory jibed with Oracle's on the ease with which the flaw could be exploited.

"Since attacks can be specially crafted for Oracle Applications and an attack may only be a single (HTTP, or Hypertext Transfer Protocol, request), successful attacks can be easily designed that will evade most intrusion detection and prevention systems," Integrigy said in its advisory.

Early last year, Integrigy released its application security product, AppSentry, for Oracle's E-Business Suite. A year ago, the company also published information on two other flaws in the same Oracle product.

Editor's Picks