Where to find database vulnerabilities not yet fixed; Coming January 18 - February 1

If you haven’t heard yet, a Russian security firm, Intevydis, has become so frustrated with the unresponsiveness of vendors that they have pledged to reveal details of undisclosed flaws in enterprise applications (including databases) they have discovered for the remainder of January. This started January 11th and currently has the two vulnerabilities posted on the Intevydis blog:

• Jan. 11 - Sun Directory Server 7.0 core_get_proxyauth_dn DoS
• Jan. 12 - Tivoli Directory Server 6.2 do_extendedOp DoS

So how do your applications and databases stack up in the mix? Here is the current schedule of exposures according to the Intevydis blog:

• [January 11, January 17] – week of directory server bugs, 0days in Novell eDirectory, Sun Directory, Tivoli Directory..etc
• [January 18 - January 24] – week of web server bugs, 0days in Zeus Web Server, Sun Web Server, Apache(?)..etc
• [January 25 - February 1] – week of database bugs, inspired by our research for DBJIT Toolset, 0days in Mysql, IBM DB2, Lotus Domino, Informix, Oracle(?)…and hopefully more

It is nice to see that they have saved the databases until last. Maybe the vendors will respond between now and then to remedy the riff that has occurred and our databases will remain safe.