7 February 2002 Security flaws has been found in the flagship software of database software giant Oracle, undermining the vendor’s claims that its Oracle9i database software is “unbreakable”.

Several flaws were found in Oracle’s software, including methods to allow a hacker to gain access to Oracle’s 9i database server without having to input a user ID or password. This means that a hacker could execute a program on a corporate server using Oracle9i from a remote location.

The security flaws were discovered by David Litchfield, co-founder of UK-based security software and services specialist Next Generation Security Software.

Litchfield said the vulnerabilities represented a very serious problem for Oracle customers. “Those that don’t take steps to protect themselves will be left open to severe attacks such as data theft or modification,” he said.

Oracle responded by saying it had been made aware of the problem in December 2001 and had already released patches and workarounds. “No Oracle customers have reported issues stemming from these bugs,” the company said in a statement.

But its 9i Application Server has also been strongly criticised. Another flaw enables a hacker to launch buffer overflow attacks on the 9i application server, enabling them to break into systems running 9i. The flaw is featured on versions of 9i running on a number of operating systems, including Microsoft Windows series servers and Sun Microsystems’ Solaris 2.6, says Litchfield.

Since late 2001, Oracle has been running extensive marketing campaigns stressing the robustness of its software, including: “Oracle9i Database – Can’t Break It. Can’t Break In”.