By Andy Greenberg
ARLINGTON, Va. -- In 2001, Larry Ellison brashly proclaimed in a keynote
speech at the computing conference Comdex that his database software was
"unbreakable." David Litchfield has devoted the last nine years to
making the Oracle chief executive regret that marketing stunt.
At the Black Hat security conference Tuesday afternoon, Litchfield
unveiled a new bug in Oracle's 11G database software, a critical,
unpatched vulnerability that would allow a hacker to take control of an
Oracle database and access or modify information at any security level.
"Anything that God can do on that database, you can do," Litchfield told
Forbes in an interview following his talk.
The attack that Litchfield laid out for Black Hat's audience of hackers
and cybersecurity researchers exploits a combination of flaws in
Oracle's software. Two sections of code within the company's database
application--one that allows data to be moved between servers and
another that allows management of Oracle's implementation of java--are
left open to any user, rather than only to privileged administrators.
Those vulnerable subroutines each have their own simple flaws that allow
the user to gain complete access to the database's contents.
Litchfield says he warned Oracle about the flaws in November, but they
haven't been patched. Oracle didn't immediately respond to a request for
The bug is far from the first that 34-year-old Litchfield has outed on
Oracle's behalf. As a cybersecurity researcher and penetration tester,
Litchfield has exposed more than a thousand database software security
flaws, mostly in Oracle's code.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News