Oracle taken to task for time to fix vulnerabilities
'Fell through the cracks'
Claiming that Oracle has failed to fix six vulnerabilities despite having more than 650 days to issue a patch, researchers at security firm Red Database Security published details of the flaws on Tuesday.
The flaws vary in severity with three of the six classified by the firm as high risk, potentially allowing a remote attacker to compromise a server or overwrite files, according to advisories released by Red Database.
"Oracle's behavior (in) not fixing critical security bugs for a long time - over 650 days - is not acceptable for their customers," Alexander Kornbrust, CEO and principal researcher with the Neunkircher, Germany-based consultancy, said in the prologue to each advisory. "Oracle put their customers in danger - at least one critical vulnerability can be abused (by) any attacker via the Internet."
The public release of the advisories - along with instructions outlining techniques to exploit all but one of the flaws - marks the latest incident between independent security researchers and software companies, two groups frequently at odds over when, or even if, to disclose vulnerabilities.
In April, a showdown between database maker Sybase and flaw finders ended when the company allowed vulnerability researchers to release details of several flaws that had already been patched. At the CanSecWest conference in May, Microsoft presented details of how the company deals with flaws in an attempt to gain sympathy from independent security researchers.
In this case, Oracle did not address the criticism nor the flaws directly, but instead commented on how the information about the unpatched vulnerabilities was released.
"We believe the most effective way to protect customers is to avoid disclosing or publicizing vulnerabilities before a patch or workaround has been developed," the company said in a statement. "We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available."
Red Database Security told Oracle of the flaws between July and September of 2003, according to the security firm's advisories. The company communicated with Oracle about the issues and, three months ago, gave the database maker until the July quarterly patch to fix the issues.
Oracle moved to a quarterly patch cycle almost a year ago and, in its July update, did not fix any of the vulnerabilities about which the security company had warned, according to Red Database.
"I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories," Red Database's Kornbrust said in the explanation introducing each flaw report. The reports were posted to the company's Web site, to the Full-Disclosure mailing list, and to the BugTraq mailing list, which is operated by SecurityFocus.
The high-severity flaws occur in the Oracle Forms and Oracle Reports components included in various versions of Oracle's Application Server and could allow an attacker to execute program code. Another flaw, also in Oracle Reports, could allow an attacker to overwrite files on the targeted server. The three remaining flaws are of lesser severity, according to Red Database.
Considering that at least one issues could be used to compromise Oracle databases remotely, the time taken to patch the issue is extreme, said Steve Manzuik, security product manager for security software maker eEye Digital Security.
"I have never seen any take this long," Manzuik said. "It is odd to go that long. In this case, I think something fell through the cracks. There may have been a miscommunication somewhere."
eEye also keeps track of the length of time it takes for a vendor to respond to its own flaw reports. The longest time any software maker has taken in about 370 days, Manzuik said.
Oracle restated its commitment to security in its statement.
"Security is a matter we take seriously at Oracle and our first priority is meeting customer needs and reducing their risk," the company said. "When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems."
Some researchers have argued that the increasing sophistication of binary analysis tools may make the disclosure debate a moot issue. Yet, disclosure of vulnerability information before a patch is available can have real financial consequences for a company.
A recent academic paper statistically linked flaw disclosure and a drop in the affected software company's stock price. The drop averaged 0.63 per cent, but in cases when a patch is not available, the average stock price dropped 1.5 per cent.
Oracle's stock price edged up 0.3 per cent on Tuesday, but fell 0.6 per cent in after-hours trading.