Oracle has already identified and patched the security flaw, but there’s a problem. Since POS systems are deemed “mission critical” by most businesses, System Administrators rarely schedule maintenance for them on fears that an unstable patch or update could cause undue downtime for the company. Because of that, it will likely be a month or more before the new update finds its way to all 300,000 of the at-risk systems.
As security flaws go, this one is fairly nasty, too, as it allows a hacker to collect configuration files from any vulnerable Micros POS system. This data can then be used to grant the hacker full, unrestricted access to the POS system, as well as the database and server it feeds information to.
Most hackers attacking a POS would be content with simply collecting credit card details for resale on the Dark Web. However, with this exploit, any sort of malware could be installed to use against the company later.
Even worse, a hacker need not be in close proximity to the device in question. A carefully crafted HTTP request could trigger the security flaw and open the door. Of course, if a hacker is in close proximity to the system, then there are many easier ways to infect it. One only needs to distract the sales clerk long enough to attach a simple Raspberry Pi board equipped to run the exploit code and the damage is done. Security researchers from antivirus firm Trend Micro who discovered the bug reports that a “bulk of the companies using this platform is mostly concentrated in the United States.”
The bottom line is, if you use an Oracle POS, make installing the latest security patch a priority. You’ll be vulnerable until you do.