BOSTON (Reuters) - A computer security expert has uncovered what he says are flaws in widely used software from Oracle Corp that could let hackers remotely access sensitive information in corporate and government databases.
A bug in the design of the Oracle database — the world’s top-selling software for storing electronic information — could allow hackers to break into private databases via the Internet, said David Litchfield, chief research scientist of NGSSoftware Ltd, a UK-based computer security company.
“It allows an attacker without a user ID and password to take complete control. All firewalls become irrelevant,” Litchfield said on Wednesday after presenting his research at the Black Hat hacking conference in Washington.
Litchfield said that he warned Oracle of the problem in November, hoping that the company would fix the flaw when it issued a group of quarterly security patches in January.
He said that he decided to go public because Oracle failed to do so.
Officials with Oracle declined comment on the matter.
Litchfield said that he believes about nine out of every 10 Oracle databases are vulnerable to attack. He said it is possible to change the default settings on Oracle’s software to thwart potential hackers looking to exploit the vulnerability.
He added that it was impossible to say whether any hackers had actually exploited the flaw to illegally break into a database.
Reporting by Jim Finkle; Editing by Phil Berlowitz