February 6, 2002 4:55 PM PST
Guru says Oracle's 9i is indeed breakable
The security problems, found by U.K. security researcher David Litchfield in December, include a serious software slip-up that could let hackers take control of corporate servers loaded with the database program.
"This is a very serious problem for organizations that rely on Oracle," Litchfield said in a statement Wednesday. "Those that don't take steps to protect themselves will be left open to severe attacks such as data theft or modification."
The problems highlight the danger in claiming that software products are totally secure, said Greg Shipley, director of consulting services for security firm Neohapsis.
"It's the classic way of doing marketing wrong, and it puts a big target on your products," he said.
Normally, companies adopt a flock-of-sheep mentality, keeping their heads down and, hopefully, out of sight of the online wolves that roam the Internet. Companies that throw down the gauntlet to hackers usually find themselves in trouble, said Shipley. "Name one vendor that hasn't been taken down. They all have."
However, Oracle's Chief Security Officer Mary Ann Davidson took exception with any characterization that the company hasn't delivered on its promise to create "unbreakable" software.
"We are doing a heck of a lot," she said. "I would much rather stand up and say we are going to make every product unbreakable than to say, 'you're right, it's impossible,' and give up."
With tag lines such as "Oracle9i Database--Can't Break It. Can't Break In" and "Only Oracle9i Is Unbreakable," the company's marketing campaign--kicked off at Comdex in Las Vegas last November--has set a high bar for the database maker's programmers. Oracle has spent more than a million dollars on international software certifications that require a minimum level of security.
Even so, security experts have criticized the marketing campaign as so much fluff.
"The whole 'unbreakable' thing is not possible, given current technology," said Chris Wysopal, director for research and development at network-protection firm @Stake. "All software has holes."
He did give Oracle kudos for taking security seriously. "Look at the actions," he said. "Don't look at the marketing slogans."
Oracle's Davidson acknowledged that the company may come under fire for its marketing pledge, but in the end, she added it's not about not having software flaws--it's about a company's commitment to do away with those flaws that matters.
"Everyone should be taking a pledge to make their products unbreakable," she said, adding that companies that accept the status quo, putting security in second place, have no place in the enterprise.
Oracle, like Microsoft, has had its share of security holes. Last July, security researchers found a software bug in the company's 8i database that could let malicious attackers break into its servers.
The current set of flaws found by Litchfield, a consultant with Next Generation Security Software, were discovered when the researcher tested a vulnerability assessment scanner against Oracle's latest database software.
The software bugs occur in Oracle's database and Java-server modules for the Apache Web software. Oracle published software patches for some of the flaws in December and for the rest of the flaws on Wednesday.
"Marketing campaigns come and go," said Oracle's Davidson, "but we are in security for the long haul."