Friday, September 16, 2011

Security Flaw at Oracle Could Take Down Application Servers

OracleOracle just released an emergency patch that is designed to fix a vulnerability that, according to the company, could bring down HTTP application servers sold by Oracle, ones that are also based on Apache 2.0 or 2.2.

According to a statement released by Oracle, hackers have the ability to exploit weaknesses remotely without the need of a username or password for entry. There are multiple products that are affected by the bug, including Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0 and 11.1.1.5.0; Oracle Application Server 10g Release 3, version 10.1.1.5.0 and Oracle Application Server 10g Release 2, version 10.1.2.3.0.

The United States Government's National Vulnerability Database has already assigned a Common Vulnerability Scoring System (CVSS) rating of 7.8 to the bug, indicating a "complete Operating System denial of service (dos)", according to the company. However, Oracle did take issue with the assessment in its security alert.

According to the company, "A complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete denial of service of the Oracle HTTP Server but not the Operating System."

Regardless of how you score it, the bug was, evidently, serious enough for Oracle to release a patch for it outside of the company's usual large quarterly update schedule, the next of which is poised to take place on October 18, 2011.

The hack at Oracle is just the latest in a series of hacks against large corporations, government websites and other companies from multiple hacker groups that like to be known as "hacktivists". These attacks have gotten so bad, actually, that the government has started an all out campaign against these hackers in an attempt to stop them before they cause any extremely serious damage.

Source: PC World - Oracle: Security Flaw Could Bring Down App Servers

SMBnow.com is news of, for and by SMBs!
SMBnow.com... The Small & Medium Business Magazine!

Thursday, September 1, 2011

Microsoft SQL Server Switching to Open Database Connectivty

Microsoft SQL ServerMicrosoft just announced on Monday a roadmap shift indicating that it will shift focus on supporting the Open Database Connectivity (ODBC) approach for SQL Server application programming interfaces in the very near future. This is an important announcement for C/C++ developers who are writing applications for relational database management systems, especially if they are using other Microsoft-supported APIs like Object Linking and Embedding Database (OLE DB).

In addition to that, Microsoft has announced that it will be slowly cutting ties with OLE DB support. According to Microsoft, there will be a 7-year phase out period for OLE DB which will correspond with the life cycle support period of SQL Server code-named "Denali" after that product launches. Denali will be the last Microsoft SQL Server database management product to support OLE DB.

According to a blog post from Microsoft, "OLE DB will supported for seven years from launch, the life of SQL Server Code Name 'Denali' support, to allow you a large window of opportunity for change before depreciation. We encourage you to adopt ODBC in any future version or new application development."

Microsoft has yet to announce a release date for Denali though the common expectation is that Denali will be released in the fourth quarter of this year. In addition to that, it is also expected that details will come from Microsoft's PASS Summit 2011 event in October.

Interestingly enough, Microsoft is accepting that the OBDC open standard it developed with Simba Technologies back in 1992 has become the widely accepted standard for database APIs. ODBC has overshadowed the other attempts by Microsoft to improve on the standard with its OLE DB according to Simba's history of ODBC.

According to Microsoft, "This depreciation applies to the Microsoft SQL Server OLE DB provider only. Other OLE DB providers as well as the OLE DB standard will continue to be supported until explicitly announced." However, a Microsoft FAQ does indicate that ADO will also be affected by the phase out of OLE DB.

"Providers like ADO.net which can run on top of OLE DB will not support OLE DB once the latter is depreciated," says the FAQ. "At that time the clients using the underlying provider need to update their application to use a different provider."

If you are a developer, then you should consider moving to ODBC over the 7-year period in order to align with this general plan. OLE DB was the proprietary technology of Microsoft, however, Microsoft has now admitted that ODBC was a better choice.

According to the FAQ, "OLE DB was introduced primarily to provide uniform data access to non-relational data as well as relational data. But it is Microsoft's proprietary technology that worked only on Microsoft platforms. When it comes to uniform data access to SQL Server from different platforms, ODBC has always been a better choice and that was consistently quoted by all of our customers in various surveys, SDRs and forums. By fully aligning with ODBC, Microsoft will be focusing on one set of industry standard APIS that are widely used by many of our customers."

Source: Redmondmag.com - Microsoft Shifting To Open Database Connectivity for SQL Server