Network World's reporter Ellen Messmer published an article today about an Oracle vulnerability identified by David Litchfield for the purpose of refuting Larry Ellison's claim that his database was "unbreakable".

David Litchfield, a researcher at NGS Consulting, demonstrated how a user can subvert security to elevate his privileges to take complete control over Oracle 11g and also showed how to bypass the Oracle Label Security used to set mandatory access controls over information depending on security level.

The security-industry veteran said ever since he heard Oracle's chief Larry Ellison touting his database as being "unbreakable, I took umbrage at that." Litchfield noted he and Oracle have had a "rocky relationship" for a long time.

Mr. Litchfield is targeting Oracle in this case, but most database vendors make similar efforts to calm their user's fears of vulnerabilities.  The DB attack discussed is an example of the challenges that database vendors face when trying secure their own code.  Databases are large complex software packages and to expect them to be inherently secure from the vendor, regardless of CEO comments or promises, is risky.