Allround Automations has released a new version of its PL/SQL Developer product to address a security flaw that allows man-in-the-middle (MitM) attackers to serve malicious files and execute arbitrary commands.
PL/SQL Developer is an Integrated Development Environment designed for developing stored program units for Oracle databases. The tool checks for updates every time it’s started and if an update is available, a file is downloaded from a specified URL and installed.
Application security consultant Adam Caudill discovered that version 11.0.4 (and likely earlier versions) uses HTTP when fetching updates and it does not validate the downloaded file’s authenticity.
Read More:Serious Flaw Found in "PL/SQL Developer" Update System | SecurityWeek.Com
PL/SQL Developer is an Integrated Development Environment designed for developing stored program units for Oracle databases. The tool checks for updates every time it’s started and if an update is available, a file is downloaded from a specified URL and installed.
Application security consultant Adam Caudill discovered that version 11.0.4 (and likely earlier versions) uses HTTP when fetching updates and it does not validate the downloaded file’s authenticity.
Read More:Serious Flaw Found in "PL/SQL Developer" Update System | SecurityWeek.Com
