“Thirty-four vulnerabilities — the majority of them critical — have been identified in multiple versions of Oracle’s database server. “Most of the flaws are critical,” said David Litchfield, a researcher at UK-based NGSSoftware, whose company discovered the flaws. “One allows an attacker to gain control of the database server without a userID or password. Others allow low-privileged users (i.e. those that do have a userID and password) to gain complete control of the database server.” Litchfield discussed the vulnerabilities in very broad terms at last week’s Black Hat Briefings in Las Vegas. He refused to provide specific detail on the flaws because Oracle hasn’t released patches yet. Generally, the flaws have to do with the Procedural Language/Structured Query Language and its triggers.”