By Eduard Kovacs on May 02, 2016 Allround Automations has released a new version of its PL/SQL Developer product to address a security flaw that allows man-in-the-middle (MitM) attackers to serve malicious files and execute arbitrary commands.
PL/SQL Developer is an Integrated Development Environment designed for developing stored program units for Oracle databases. The tool checks for updates every time it’s started and if an update is available, a file is downloaded from a specified URL and installed.
Application security consultant Adam Caudill discovered that version 11.0.4 (and likely earlier versions) uses HTTP when fetching updates and it does not validate the downloaded file’s authenticity. Full Article
Serious Flaw Found in "PL/SQL Developer" Update System
Userlevel 7
+54
Userlevel 7
Seems that man-in-th-middle attacks or potential exploits appear to be ever present even though somewhat eclipsed by the rash of ransomware-related happenings of recent times. Just goes to show how important it is for security venodrs like Webroot to keep current (and we know that thanks to ENZO they do). ;)
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.