Oracle refuses to learn its lesson, experts say

By Bill Brenner, Senior News Writer 08 May 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp. may be baking more secure code into its new products, but some experts say that doesn't help enterprises using older programs that are riddled with vulnerabilities.

Those experts add that the vendor's patching process still leaves much to be desired, as it often ignores key flaws for months and even years, leaving enterprise databases open to a variety of attacks.

The critical patch update (CPU) the Redwood Shores, Calif.-based vendor released last month is a good example of the inadequacies, said Alexander Kornbrust, database security researcher and business director at German firm Red-Database-Security GmbH. The update patched 36 flaws in a variety of products, but some fixes were incomplete and a long list of other problems went unaddressed.

Oracle's code and product quality is getting better, but they still take way too long to fix vulnerabilities. In my view, a year-old flaw is unacceptable. Alexander Kornbrust Red-Database-Security GmbH

Kornbrust's Web site keeps a running list of open Oracle security holes, and the latest count is 45. The oldest flaw was first disclosed in 2003 and many were first reported last year. And those are just the security holes he's discovered.

"Overall, there are 130-140 open security issues if you tally everything found by different researchers," he said. "Oracle's code and product quality is getting better, but they still take way too long to fix vulnerabilities. In my view, a year-old flaw is unacceptable."

Agreeing with that view is Pete Finnigan, author of Oracle Security Step By Step and keeper of a popular blog on the subject.

In an e-mail exchange, he said Oracle is making a better effort to improve code in newer products, but they're not working hard enough to fix code weaknesses in older programs. He said that's a problem because many Oracle customers aren't using the latest and greatest programs. "Most of those I talk to are not on 10g release 2," he said. "The focus should be on fixes for versions of Oracle that the general customers are using."

Finnigan also wasn't impressed that the fixes in the April CPU were delayed for certain platforms. He said the patch download page noted that for some platforms fixes wouldn't be available until May 1 or May 15. "This is not a quarterly patch cycle," he said.

Incomplete fixes
Oracle has also been criticized for releasing partial security fixes for certain issues. Kornbrust said one of the incomplete fixes in the April CPU affects the Oracle Spatial utility. In an analysis on his Web site, he said one of the fixes for Oracle 9.2.0.7 is incorrect and that one parameter in the spatial package isn't properly sanitized, meaning sensitive data isn't properly removed or quarantined.

David Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd., said on the Full-Disclosure electronic mailing list hosted and sponsored by Danish vulnerability watcher Secunia that the April CPU endeavors but fails to address a problem dating back to April 2004.

Timeline: Oracle security Apr. 19: Oracle fixes 36 more vulnerabilities Apr. 11: Oracle accidentially exposes exploit Feb. 28: Oracle releases critical out-of-cycle patch Jan. 27: Oracle failed to patch critical flaw Jan. 20: Oracle makes Microsoft look good

He said he first reported an SQL injection vulnerability in the GET_DOMAIN_INDEX_METADATA function of 10g Release 2 to Oracle on April 13, 2004 and that the company issued a fix that August that proved inadequate.

Since then, Litchfield said there has been a pattern where Oracle tries to fix the problem in a CPU, he finds the fix is inadequate and the company tries to fix it again in the next CPU.

"I was told the April 2006 CPU contained a fix, but it [is] still vulnerable," he said. "It is unfortunate that Oracle did not take the opportunity to fix the flaws the first time around. It is amazing Oracle didn't fix them the second time around. It is disgraceful, in my opinion, that they didn't fix them properly the third time around."

A familiar story
For Oracle, criticism over its patching process is nothing new. The company's CPUs are usually followed by third-party warnings about flaws that either went unaddressed or weren't fixed properly.

Litchfield has been a particularly vocal critic of the database giant's security efforts. When he criticized Oracle's patching efforts following the January 2006 CPU, Oracle fired back, saying it was "disappointed" Litchfield had revealed information that could be used to exploit the flaw in question.

In past interviews, Oracle CSO Mary Ann Davidson has acknowledged her company's patching process isn't perfect, but that it has taken steps in the right direction. One example she gave was the company's decision to have a quarterly patch update database administrators (DBAs) could plan around.

Indeed, DBAs have expressed support for the quarterly cycle. But complaints over slow patching seem to have increased in recent months.

Oracle did not immediately respond to a request for comment for this story.

Kornbrust said the company could alleviate a lot of criticism by simply improving communication. For example, he said, the CPU bulletins could better explain which flaws are critical as opposed to issues DBAs can address without having to apply a patch.

"Patch information that comes from Oracle is very complicated," he said. "This latest patch is rated critical. The problem is that if one issue is critical, the entire update is deemed critical. But for DBAs some flaws are more critical than others, depending on their infrastructure."

In these cases, he said, DBAs need information to help them decide when to apply a patch and when it's better to apply a workaround.

Should information security pros be wary of endorsing the use of Oracle products in their organizations until the database giant solves its communication and process problems? No, said Jonathan Eunice, an analyst at Nashua, N.H.-based Illuminata Inc.

"All large, complex products have bugs, whether it's the DBMS or the applications, these are packages on which customer data depends, so one doesn't just make change willy nilly," he said in an e-mail exchange. "Any problems need to be carefully understood, and any proposed changes need to be carefully tested. That takes time."

The time might be longer than everyone would like, he said, but it wouldn't be helpful to partially fix one bug and create several more in the process, all for the sake of speed.

"So while Oracle isn't really unbreakable, neither do I find them remarkably bad," he said.

Tags: Database Security Management,  Software Development Methodology,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary