Oracle Corp. acknowledged the existence of multiple security holes in its database software Tuesday and said it would issue an alert to customers shortly. The U.K. security expert who found the holes criticized Oracle’s conduct, saying that it has been sitting on patches that would fix the holes for about two months.
David Litchfield, managing director of Next Generation Security Software Ltd. of Sutton, Surrey, said he uncovered 34 security vulnerabilities in past and current versions of Oracle’s database software, at least one of which could allow a hacker to gain control of a company’s database remotely without needing a password.
Litchfield said he notified Oracle of the vulnerabilities in January, and said the company told him two months ago that it had prepared patches to repair them. Oracle has not released the patches, however, because it is in the midst of introducing a new system for distributing security fixes to customers, according to Litchfield, who was critical of the delay.
“The way they should do it is to run the old system (for issuing patches) until the new system is ready for use,” he said in a telephone interview from the U.K. Tuesday. “They have not handled this in the best way they could.”
Litchfield mentioned the vulnerabilities last week in a presentation at the Black Hat computer security conference in Las Vegas. They were first reported by theWall Street Journal Tuesday.
Oracle initially would not confirm the vulnerabilities, saying only that it takes security matters seriously. Later Tuesday it confirmed the flaws in a brief statement but declined any further comment.
“Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better. Oracle has fixed the issues discussed in The Wall Street Journal and will issue a Security Alert soon,” the statement read.
Oracle prides itself on the security of its database software. Its advertising campaigns describe its products as “unbreakable,” and it often talks of its security certifications awarded by U.S. government agencies.
Litchfield declined to discuss the vulnerabilities in detail for fear of aiding hackers who might seek to exploit them. “In generic terms, the issues are buffer overflow vulnerabilities, PL-SQL injection vulnerabilities, and a couple of minor issues — well, minor depending on how you do your risk assessment — things like denial of service, passwords in clear text. Basically the whole gamut of vulnerability types.”
Until the patches are issued, companies can mitigate risk by following security “best practices,” he said, such as providing as little in the way of access privileges to users as is practically possible. “One can go a long way to mitigate the risk of these vulnerabilities, but some don’t have workarounds,” Litchfield said.
About half of the vulnerabilities affect Oracle’s newest, 10g database, and three of them are unique to that database, meaning they don’t affect previous versions, he said.
Litchfield is known in the industry for releasing the proof-of-concept (or “exploit”) code two years ago for a vulnerability in Microsoft Corp.’s SQL Server database. The code was used by hackers as a template to create the Slammer worm, which went on to cause widespread, costly damage.
Litchfield said he has developed similar exploits for the vulnerabilities in Oracle’s database, but, after the Slammer experience, he will not be releasing them, he said.
Most industry analysts had not seen the vulnerabilities Tuesday and said it was hard to gauge their severity. Litchfield said he was not aware of any exploits for the security holes circulating among hackers. The analysts generally praised Oracle for the security of its products and for the way it has handled vulnerabilities in the past.
“They do take these things pretty seriously. They had a security breach a couple of months ago and I think they put out a patch within a day or two,” said IDC analyst Carl Olofson.
As with any software product that has been on the market for years, “there are naturally going to be some old lines of code that need to be looked at. But you could say the same thing about DB2 and Sybase,” Olofson said.
Colin White, president of IT consulting company BI Research, in Ashland, Ore., said security is less of a differentiating factor among database vendors than in the past, because all the leading products are now relatively secure. “However, as the way databases are used changes over time, as you move to a broader audience (of users) and to a Web-based environment, there are more points in the product that people could seek to exploit,” he said.
Litchfield said he expected Oracle to have issued the patches before his presentation last week at Black Hat. However, as happened at the same conference a year earlier, when Litchfield had planned to give a presentation discussing a different set of Oracle database flaws, on the day of his speech the patches still had not been issued, he said.
“I gave them advance warnings last year and they said they would be ready, but on the day of my talk they told me the patches would not be ready. When I set off again this year and they did the same thing again, but for a different set of issues, I thought, ‘No, not again,'” he said.
Litchfield said he modified his talk this year and skimmed over his presentation slides describing the vulnerabilities, but he apparently provided enough information for word of the security flaws to spread.
Litchfield said he is aware that he’s considered a “troublemaker” by some in the industry. He said he feels that he acts responsibly — by waiting six months to discuss the latest security holes, for example. Even then, he said, he did not intentionally publicize them.
A product such as Oracle’s database has enough lines of code that, even with the knowledge that vulnerabilities are present, it would take considerable time and effort for a hacker to find them, he said. “I think it’s fairly safe to talk about these issues. The only place where I can see that I might have been a troublemaker is to Oracle, but if it means that Oracle’s customers will get patches that much quicker, then they should be happy about that,” he said.
One Oracle database customer said he contacted Oracle about the security holes after seeing the Wall Street Journal report. He was told that patches are not available but that they would be issued soon. “Any time there’s this many vulnerabilities, to me it basically mimics the vulnerabilities in Microsoft’s products, and I am concerned about it,” said Brent Siler, director of IT for EXP Pharmaceutical Services Corp., in Fremont, Calif.
“Luckily for us, we have intrusion detection systems that we’ve been able to go out and modify based on what we have been able to read into Mr. Litchfield’s comments,” he said. “This is definitely something we’re going to stay on top of.”