Feeds

Oracle taken to task for time to fix vulnerabilities

'Fell through the cracks'

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Claiming that Oracle has failed to fix six vulnerabilities despite having more than 650 days to issue a patch, researchers at security firm Red Database Security published details of the flaws on Tuesday.

The flaws vary in severity with three of the six classified by the firm as high risk, potentially allowing a remote attacker to compromise a server or overwrite files, according to advisories released by Red Database.

"Oracle's behavior (in) not fixing critical security bugs for a long time - over 650 days - is not acceptable for their customers," Alexander Kornbrust, CEO and principal researcher with the Neunkircher, Germany-based consultancy, said in the prologue to each advisory. "Oracle put their customers in danger - at least one critical vulnerability can be abused (by) any attacker via the Internet."

The public release of the advisories - along with instructions outlining techniques to exploit all but one of the flaws - marks the latest incident between independent security researchers and software companies, two groups frequently at odds over when, or even if, to disclose vulnerabilities.

In April, a showdown between database maker Sybase and flaw finders ended when the company allowed vulnerability researchers to release details of several flaws that had already been patched. At the CanSecWest conference in May, Microsoft presented details of how the company deals with flaws in an attempt to gain sympathy from independent security researchers.

In this case, Oracle did not address the criticism nor the flaws directly, but instead commented on how the information about the unpatched vulnerabilities was released.

"We believe the most effective way to protect customers is to avoid disclosing or publicizing vulnerabilities before a patch or workaround has been developed," the company said in a statement. "We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available."

Red Database Security told Oracle of the flaws between July and September of 2003, according to the security firm's advisories. The company communicated with Oracle about the issues and, three months ago, gave the database maker until the July quarterly patch to fix the issues.

Oracle moved to a quarterly patch cycle almost a year ago and, in its July update, did not fix any of the vulnerabilities about which the security company had warned, according to Red Database.

"I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories," Red Database's Kornbrust said in the explanation introducing each flaw report. The reports were posted to the company's Web site, to the Full-Disclosure mailing list, and to the BugTraq mailing list, which is operated by SecurityFocus.

The high-severity flaws occur in the Oracle Forms and Oracle Reports components included in various versions of Oracle's Application Server and could allow an attacker to execute program code. Another flaw, also in Oracle Reports, could allow an attacker to overwrite files on the targeted server. The three remaining flaws are of lesser severity, according to Red Database.

Considering that at least one issues could be used to compromise Oracle databases remotely, the time taken to patch the issue is extreme, said Steve Manzuik, security product manager for security software maker eEye Digital Security.

"I have never seen any take this long," Manzuik said. "It is odd to go that long. In this case, I think something fell through the cracks. There may have been a miscommunication somewhere."

eEye also keeps track of the length of time it takes for a vendor to respond to its own flaw reports. The longest time any software maker has taken in about 370 days, Manzuik said.

Oracle restated its commitment to security in its statement.

"Security is a matter we take seriously at Oracle and our first priority is meeting customer needs and reducing their risk," the company said. "When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems."

Some researchers have argued that the increasing sophistication of binary analysis tools may make the disclosure debate a moot issue. Yet, disclosure of vulnerability information before a patch is available can have real financial consequences for a company.

A recent academic paper statistically linked flaw disclosure and a drop in the affected software company's stock price. The drop averaged 0.63 per cent, but in cases when a patch is not available, the average stock price dropped 1.5 per cent.

Oracle's stock price edged up 0.3 per cent on Tuesday, but fell 0.6 per cent in after-hours trading.

Copyright © 2005, SecurityFocus logo

Related stories

Oracle snaps up security firm
Oracle moves to quarterly patch cycle
Oracle's first monthly patch batch fails to placate critics

Security for virtualized datacentres

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.