Feeds

Oracle taken to task for time to fix vulnerabilities

'Fell through the cracks'

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Claiming that Oracle has failed to fix six vulnerabilities despite having more than 650 days to issue a patch, researchers at security firm Red Database Security published details of the flaws on Tuesday.

The flaws vary in severity with three of the six classified by the firm as high risk, potentially allowing a remote attacker to compromise a server or overwrite files, according to advisories released by Red Database.

"Oracle's behavior (in) not fixing critical security bugs for a long time - over 650 days - is not acceptable for their customers," Alexander Kornbrust, CEO and principal researcher with the Neunkircher, Germany-based consultancy, said in the prologue to each advisory. "Oracle put their customers in danger - at least one critical vulnerability can be abused (by) any attacker via the Internet."

The public release of the advisories - along with instructions outlining techniques to exploit all but one of the flaws - marks the latest incident between independent security researchers and software companies, two groups frequently at odds over when, or even if, to disclose vulnerabilities.

In April, a showdown between database maker Sybase and flaw finders ended when the company allowed vulnerability researchers to release details of several flaws that had already been patched. At the CanSecWest conference in May, Microsoft presented details of how the company deals with flaws in an attempt to gain sympathy from independent security researchers.

In this case, Oracle did not address the criticism nor the flaws directly, but instead commented on how the information about the unpatched vulnerabilities was released.

"We believe the most effective way to protect customers is to avoid disclosing or publicizing vulnerabilities before a patch or workaround has been developed," the company said in a statement. "We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available."

Red Database Security told Oracle of the flaws between July and September of 2003, according to the security firm's advisories. The company communicated with Oracle about the issues and, three months ago, gave the database maker until the July quarterly patch to fix the issues.

Oracle moved to a quarterly patch cycle almost a year ago and, in its July update, did not fix any of the vulnerabilities about which the security company had warned, according to Red Database.

"I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories," Red Database's Kornbrust said in the explanation introducing each flaw report. The reports were posted to the company's Web site, to the Full-Disclosure mailing list, and to the BugTraq mailing list, which is operated by SecurityFocus.

The high-severity flaws occur in the Oracle Forms and Oracle Reports components included in various versions of Oracle's Application Server and could allow an attacker to execute program code. Another flaw, also in Oracle Reports, could allow an attacker to overwrite files on the targeted server. The three remaining flaws are of lesser severity, according to Red Database.

Considering that at least one issues could be used to compromise Oracle databases remotely, the time taken to patch the issue is extreme, said Steve Manzuik, security product manager for security software maker eEye Digital Security.

"I have never seen any take this long," Manzuik said. "It is odd to go that long. In this case, I think something fell through the cracks. There may have been a miscommunication somewhere."

eEye also keeps track of the length of time it takes for a vendor to respond to its own flaw reports. The longest time any software maker has taken in about 370 days, Manzuik said.

Oracle restated its commitment to security in its statement.

"Security is a matter we take seriously at Oracle and our first priority is meeting customer needs and reducing their risk," the company said. "When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems."

Some researchers have argued that the increasing sophistication of binary analysis tools may make the disclosure debate a moot issue. Yet, disclosure of vulnerability information before a patch is available can have real financial consequences for a company.

A recent academic paper statistically linked flaw disclosure and a drop in the affected software company's stock price. The drop averaged 0.63 per cent, but in cases when a patch is not available, the average stock price dropped 1.5 per cent.

Oracle's stock price edged up 0.3 per cent on Tuesday, but fell 0.6 per cent in after-hours trading.

Copyright © 2005, SecurityFocus logo

Related stories

Oracle snaps up security firm
Oracle moves to quarterly patch cycle
Oracle's first monthly patch batch fails to placate critics

Choosing a cloud hosting partner with confidence

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.