August 3, 2004 6:30 PM PDT
Oracle plans to patch peck of flaws
While details of the flaws have not been made public, researcher David Litchfield offered some general information about the issues at the Black Hat Security Briefings in Las Vegas last week.
Oracle addressed the issue in a statement to CNET News.com: "Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better. Oracle has fixed the issues...and will issue a security alert soon."
While Litchfield, who is managing director of Next-Generation Security Software, had planned to release information about the database flaws last week, he held off because of the lack of patches. Litchfield first notified the software company of the problems--some of which he ranked as critical--in January.
Litchfield said Tuesday that although he has repeatedly pointed out the flaws in Oracle's database software, the company has yet to issue any patches because of an ongoing shift in its corporate policies for releasing such information.
The flaws Litchfield uncovered aren't the only ones Oracle has had to deal with this year. The database giant in June released a patch for a critical flaw in the company's Oracle 11i E-Business Suite.
Litchfield refused to elaborate in detail on the problems in the software, which he fears would allow hackers to rapidly launch attacks against Oracle's customers. But he said the problems range from large to small, from so-called buffer and heap overflow issues to poor password protection.
In some cases, he said, people without any username or password information could gain access to the Oracle systems, while in other cases individuals with only limited access permissions could covertly upgrade their status to database administrator levels.
Litchfield said he first began actively looking for holes in Oracle's software two years ago, when the company launched its "unbreakable" marketing campaign, which touted the security strengths of its database software. With the help of several colleagues, Litchfield claims, he found close to 50 flaws in the company's database programs in less than 24 hours.
"It was probably unwise for Oracle to advertise itself as 'unbreakable,' and I know it raised some eyebrows even within the company," he said. "But marketing doesn't necessarily consult the developers when it builds its message for the public."
Litchfield points out that anyone who takes the time to peruse the company's listings of its previous security patches can figure out for themselves how vulnerable the company's products have been. However, the security expert said that Oracle is no more culpable of trying to downplay vulnerabilities than many of its competitors, including Microsoft, IBM and others.
Litchfield said that Oracle may want to take a page from Microsoft's book in terms of improving the company's overall approach to patching holes in its software.
"Microsoft has traditionally been a big target, and they've suffered publicly because of that," he said. "But Microsoft has adopted better internal processes to address the problem, and they've now advanced past the rest of the market in terms of their ability to respond to new issues."