Feeds

Oracle taken to task for time to fix vulnerabilities

'Fell through the cracks'

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Claiming that Oracle has failed to fix six vulnerabilities despite having more than 650 days to issue a patch, researchers at security firm Red Database Security published details of the flaws on Tuesday.

The flaws vary in severity with three of the six classified by the firm as high risk, potentially allowing a remote attacker to compromise a server or overwrite files, according to advisories released by Red Database.

"Oracle's behavior (in) not fixing critical security bugs for a long time - over 650 days - is not acceptable for their customers," Alexander Kornbrust, CEO and principal researcher with the Neunkircher, Germany-based consultancy, said in the prologue to each advisory. "Oracle put their customers in danger - at least one critical vulnerability can be abused (by) any attacker via the Internet."

The public release of the advisories - along with instructions outlining techniques to exploit all but one of the flaws - marks the latest incident between independent security researchers and software companies, two groups frequently at odds over when, or even if, to disclose vulnerabilities.

In April, a showdown between database maker Sybase and flaw finders ended when the company allowed vulnerability researchers to release details of several flaws that had already been patched. At the CanSecWest conference in May, Microsoft presented details of how the company deals with flaws in an attempt to gain sympathy from independent security researchers.

In this case, Oracle did not address the criticism nor the flaws directly, but instead commented on how the information about the unpatched vulnerabilities was released.

"We believe the most effective way to protect customers is to avoid disclosing or publicizing vulnerabilities before a patch or workaround has been developed," the company said in a statement. "We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available."

Red Database Security told Oracle of the flaws between July and September of 2003, according to the security firm's advisories. The company communicated with Oracle about the issues and, three months ago, gave the database maker until the July quarterly patch to fix the issues.

Oracle moved to a quarterly patch cycle almost a year ago and, in its July update, did not fix any of the vulnerabilities about which the security company had warned, according to Red Database.

"I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories," Red Database's Kornbrust said in the explanation introducing each flaw report. The reports were posted to the company's Web site, to the Full-Disclosure mailing list, and to the BugTraq mailing list, which is operated by SecurityFocus.

The high-severity flaws occur in the Oracle Forms and Oracle Reports components included in various versions of Oracle's Application Server and could allow an attacker to execute program code. Another flaw, also in Oracle Reports, could allow an attacker to overwrite files on the targeted server. The three remaining flaws are of lesser severity, according to Red Database.

Considering that at least one issues could be used to compromise Oracle databases remotely, the time taken to patch the issue is extreme, said Steve Manzuik, security product manager for security software maker eEye Digital Security.

"I have never seen any take this long," Manzuik said. "It is odd to go that long. In this case, I think something fell through the cracks. There may have been a miscommunication somewhere."

eEye also keeps track of the length of time it takes for a vendor to respond to its own flaw reports. The longest time any software maker has taken in about 370 days, Manzuik said.

Oracle restated its commitment to security in its statement.

"Security is a matter we take seriously at Oracle and our first priority is meeting customer needs and reducing their risk," the company said. "When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems."

Some researchers have argued that the increasing sophistication of binary analysis tools may make the disclosure debate a moot issue. Yet, disclosure of vulnerability information before a patch is available can have real financial consequences for a company.

A recent academic paper statistically linked flaw disclosure and a drop in the affected software company's stock price. The drop averaged 0.63 per cent, but in cases when a patch is not available, the average stock price dropped 1.5 per cent.

Oracle's stock price edged up 0.3 per cent on Tuesday, but fell 0.6 per cent in after-hours trading.

Copyright © 2005, SecurityFocus logo

Related stories

Oracle snaps up security firm
Oracle moves to quarterly patch cycle
Oracle's first monthly patch batch fails to placate critics

Security for virtualized datacentres

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.