Flaw hunters pick holes in Oracle patches

Oracle, the business software maker that has marketed its products as "unbreakable," faces mounting criticism over its security practices.

A quarterly patch update sent out by the company last week contained fixes for a laundry list of flaws affecting much of its lineup. But it left out some vulnerabilities that prominent security researcher David Litchfield expected to be tackled--leading him to call for a security overhaul at Oracle, including the resignation of its chief security officer.

"That was the last straw," said Litchfield, a security researcher and co-founder of U.K.-based Next Generation Security Software. "I was extremely disgusted and upset, and I think their customers should take umbrage too. Oracle needs to re-address their security philosophies--their understanding of what security is and what it means."

News.context

What's new:
Oracle has come under increased fire from security researchers, who say the software maker's patch process needs to improve.

Bottom line:
Now that Microsoft has shaped up on security, the spotlight is turning elsewhere--and Oracle, working to integrate acquired technologies, makes for a large target.

More stories on this topic

Litchfield is not alone in his critique of the database giant. Other security researchers have joined him in accusing Oracle of plugging holes too late, of delivering low-quality patches that need their own updates, and of not actually fixing vulnerabilities but merely applying a Band-Aid to block the sample attack code provided by researchers.

"Oracle is years behind Microsoft and other companies on security," said Cesar Cerrudo, CEO at information security services company Argeniss in Argentina. "I think Oracle is an amateur when it comes to security right now."

Oracle chose not to comment for this story.

With Microsoft, once the object of bug-related complaints, now earning kudos from researchers and analysts for its security efforts, the spotlight is turning elsewhere. Oracle is a likely target. The Redwood Shores, Calif., company's enterprise software portfolio has grown fast in recent years as it has picked up rivals in an acquisition spree.

While Oracle has been moving away from using the term "unbreakable" in its marketing, the company still likes to boast about the security of its products. In a meeting with reporters at Oracle OpenWorld in San Francisco last month, CEO Larry Ellison boldly stated his software does not have flaws. He did acknowledge, however, that problems do arise--but only when people customize the products, he said.

"Oracle is years behind Microsoft and other companies on security."

--Cesar Cerrudo, CEO, Argeniss

Some professional flaw-finders are not convinced. As a case in point, Litchfield referred to Oracle's August 2004 security release, which included patches for issues he had reported to the company eight months earlier. The repairs didn't really work, he said. With a slight modification, the sample attack he had submitted worked again. "It looks like they attempted to stop the exploit as opposed to fixing the bug," he said.

Litchfield, who has been scrutinizing Oracle's security for some time, was hoping Oracle would finally put the issue right in its bulletin last week, but it did not. The bugs could be exploited by a user with low-level privileges to gain full access to an Oracle database, he said.

What's unclear is whether the bugs have resulted in any data theft or corruption. Big companies--the bulk of Oracle's customer base--rarely discuss such issues in public.

Timely response
How much time there should be between the identification of a vulnerability and the availability of a patch has long been the subject of debate between researchers and software vendors. It depends on many variables, including whether details of the flaw are public and the quality and complexity of the code involved.

In general, researchers who find software bugs report those to the vendor, following "responsible disclosure" guidelines favored by the software industry. They then keep the vulnerability details private

Oracle patch complexity

This article makes a number of legitimate points. While in defense of Oracle, thier security architecture in general is sound, their approach for fixing bugs can be improved. My biggest gripe about the Oracle patch process is the complexity. The procedures for implementing the Oracle Critical patch for the 10G App server is 19 pages long. Microsoft has streamlined their update process to be almost behind the scenes. Bravo to Microsoft for stepping up to the plate to not only address critical issues, but offer a streamlined solution for identifing relevant patches and making the installation of the patch relatively painless.

[BogusName]

Largely agree

Those patches are a pain in the a$$ to apply, check out the one for collab suite. You have to schedule downtime(if possible) and it seems to come around more often than every three months. They are poorly documented and often times causes other problems(lack of testing cited).

On the other hand, Oracle products have a pretty good reputation of being secure. Relatively at least. If your have the different layers of security you should be able to limit the access to these vulnerabilies.

Good article, though.