Pythian Group

Oracle has just released their January installment of their critical patch update (CPU). Vulnerability CVE-2010-0071 is particularly critical, with a CVSS score of 10, the highest possible. It’s a remotely-exploitable listener vulnerability that’s particularly severe on Windows platforms.

Full details are on Oracle’s security site.

Just got an interesting note on Twitter that you can’t call a stored procedure dynamically in Oracle from a PL/SQL block like passing the procedure name in a variable.

Well, yes we can!

And the answer is EXECUTE IMMEDIATE — it can be used to run anonymous PL/SQL blog and not just a SQL statement. However, you will want to think many many times before doing so… if you love your data.

Let’s create the test procedures:

SQL> create or replace procedure bingo as
  2  begin
  3  dbms_output.put_line('Bingo!');
  4  end;
  5  /

Procedure created.

SQL> create or replace procedure bambam as
  2  begin
  3  dbms_output.put_line('BAM BAM!');
  4  end;
  5  /

Procedure created.

Now let’s create a wrapper that we will call passing a procedure name: Read the rest of this entry . . .

All,

I’m writing to help get the word out that Microsoft announced a major security vulnerability in GDI+, a component that is included and vulnerable to remote code execution exploits in every supported release of SQL Server 2005.

You can find our more about the vulnerabilities and affected products (there’s a long list, not just SQL 2005) at the Microsoft announcement here.

There is an update already available, so you probably want to evaluate an accelerated deployment of that. If you are a current Pythian client, we’ll be reviewing this patch for you. If you are not, now would be a good time to sign up, and Michelle will take care of you. :-)

Snippet from the announcement:

Executive Summary

This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4, Microsoft Digital Image Suite 2006, SQL Server 2000 Reporting Services Service Pack 2, all supported editions of SQL Server 2005, Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package, and Microsoft Report Viewer 2008 Redistributable Package.

This security update is rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, 2007 Microsoft Office System, Microsoft Visio 2002, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, and Microsoft Forefront Client Security 1.0. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that GDI+ handles viewing malformed images. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. Microsoft Knowledge Base Article 954593 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.