| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Xg = Omlet = Bad Egg
> Which site are you perusing? The listed URL has but three working
> links (four if you count the Advanced Search link, which sends the user
> to the download page), and none of these have any security information.
> The working links are:
Strange, this is the site but god knows how I got to it then...
http://www.orafaq.com/node/841....
DB18 - "DB18 lets anyone with a login execute arbitrary commands as SYS."
Thus, any user with no more than CONNECT privileges can execute arbitrary statements as SYS. For example, any user could create a new account and grant DBA privileges to that account. (If the user tries to grant DBA privileges to their current account, the session hangs.)
> Microsoft marketing. And just how secure is SQL Server or Windows? At
> least twice monthly I'm inundated with 'security hotfixes' for Windows
So, Microsoft tells you then, although annoying at least you know and have a patch to apply to fix it!!
Does Oracle tell you because it doesn't appear to be the case? It seems like you have to subscribe to some OTN or something and work out and apply the patches yourself.
I would hope all vendors follow the same model that MS uses, send you the patch and it can automatically update your machine without you having to chase it and then mess about working out how to install the dam thing.
> People who live in glass houses ...
Yes, but my glass house has somebody who comes round and does the checks and repairs for me; I don't have to work out there's a problem and I certainly don't have to go round chasing a >glazier< and then have to fit the glass myself because I don't have a support contract or subscribe with that glazier!
-- Tony Rogerson SQL Server MVP http://sqlserverfaq.com - free video tutorials <fitzjarrell_at_cox.net> wrote in message news:1140997260.558368.244050_at_j33g2000cwa.googlegroups.com...Received on Mon Feb 27 2006 - 04:25:33 CST
> Comments embedded.
> Tony Rogerson wrote:
>> His site does make some good points about security though.
>>
>
> Which site are you perusing? The listed URL has but three working
> links (four if you count the Advanced Search link, which sends the user
> to the download page), and none of these have any security information.
> The working links are:
>
> The download link (which sort of works until you realise the JAR file
> is incomplete or corrupt).
>
> The "send me your money" link
>
> The Oracle Underground FAQ link
>
>
>> What did you say about Oracle being unbreakable? Virus.....
>>
>
> I have never said anything of Oracle being unbreakable, nor has Daniel
> Morgan. Oracle marketing, on the other hand has done no worse than
> Microsoft marketing. And just how secure is SQL Server or Windows? At
> least twice monthly I'm inundated with 'security hotfixes' for Windows
> ...
>
>> Seems pretty breakable if somebody can very easily malform the protocol
>> stream and create a sys admin and do what they want.... and for Oracle to
>> keep it quite - well, thats just terrible; wait to oracle express takes
>> hold - should be interesting in say 6months - a year when all those holes
>> start appearing and being exploited ;)
>>
>
> People who live in glass houses ...
>
>> --
>> Tony Rogerson
>> SQL Server MVP
>> http://sqlserverfaq.com - free video tutorials
>>
>>
>
> David Fitzjarrell
>
 |
 |