MySQL Zero-Day Allows Database Takeover. From Softpedia.
Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions and allow an attacker to take full control over the database.
Golunski says he informed Oracle of both issues, along with other database vendors that forked the MySQL engine in the past such as MariaDB and PerconaDB.
Today the researcher took the extreme measure of publishing proof-of-concept exploit code for CVE-2016-6662 after both MariaDB and PerconaDB fixed the vulnerabilities and Oracle did not
Data Breach At Oracle’s MICROS Point-of-Sale Division. From KrebsOnSecurity.
A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.
Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.
- Flaws in Oracle file processing SDKs affect major third-party products. From CSO Online. Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors, including Microsoft. The vulnerabilities were found by researchers from Cisco’s Talos team and are located in the Oracle Outside In Technology (OIT), a collection of software development kits (SDKs) that can be used to extract, normalize, scrub, convert and view some 600 unstructured file formats.