[ISN] Oracle Still Sitting on Database-Security Patches

InfoSec News isn at c4i.org
Wed Aug 18 06:54:31 EDT 2004


By Lisa Vaas 
August 17, 2004 

Oracle Corp. is in public-relations hot water after weeks of stony
silence on its delay in releasing 34 security vulnerabilities patches
for flaws it has known about since January or February.

"Clearly, it's a good thing that they're getting the patches ready,
but it seems to me that Microsoft [Corp.] has gotten a lot of grief
for delaying patches for a variety of reasons," reads one post on the
Weblog .net DElirium. "Will Oracle be held to the same standard?"

The flaws were discovered in January by David Litchfield, managing
director of Next Generation Security Software Ltd., in Surrey,
England. According to Litchfield, the flaws include buffer overflow
attacks and SQL injection techniques for gaining access to Oracle

Litchfield has demurred on giving further details of the flaws, not
wanting to enable hackers to commit exploits before Oracle has
released patches. He first mentioned the flaws at the BlackHat
security conference in Las Vegas last month, saying he had expected
Oracle to deliver the patches in time for that conference.

Oracle has confirmed that the flaws do exist and that it has already
created fixes, but the Redwood Shores, Calif., database giant has not
offered details on when patches would be available.

In light of Microsoft's recurring security woes and the criticism that
has steadily rained down upon it, some are itching to see Oracle get
its share of the grief - particularly in light of its "Unbreakable"  
database ad campaign.

But as experts and one blog writer suggested, the security situation
in general for Oracle databases is a far cry from Microsoft Windows.  
"If you use Oracle, your [database] will be for sure behind dozens of
firewalls, servers, etc.," wrote one blog contributor.

"Different from [Microsoft SQL Server instances] that are very often
used for Web and installed on the same machine as the Web server. The
risks involved on an Oracle update and a Windows update are very

Ian Abramson, chief technology officer at Toronto-based Red Sky Data
Inc., agreed with that premise. "Most installations we have are pretty
secure to the outside world nowadays," he said.

John Pescatore, an analyst at Gartner Inc., said the skill sets of
Oracle DBAs (database administrators) also tend to be higher than
those of the population of professionals who run Microsoft's SQL
Server databases, which have the reputation of being far simpler to
manage. "Oracle databases tend to be behind firewalls and protected by
[people with] a much more sophisticated set of skills," he said.

In the meantime, rumors are flying that Oracle is delaying the patches
release while it constructs a new patch-delivery
paradigm—specifically, a cumulative, monthly patch-release schedule a
la Microsoft's current strategy.

Pescatore counts Microsoft as a client and advised the company on its
initial adoption of the cumulative patch-release program. He said the
move helped enterprises because it made patch releases more
"predictable and packaged up."

"A lot of other large, Oracle-sized software companies have waited and
watched to see how it went with Microsoft, to see if they'd get
roasted, to see if they looked like they were trying to hide
vulnerabilities," Pescatore said. "We [had] advised Microsoft that we
thought it would help enterprises. [Before the cumulative patch
program], you hadn't even finished one patch when they said they had

Oracle's delayed flaw fixes come at a crucial time, coinciding with
Microsoft's release of SP2 (Service Pack 2) for Windows XP, which has
been shown to break about 50 applications upon installation. As such,
some have sought to compare the two companies' approach to patch

But that comparison is weak, Pescatore said, considering that SP2 is
mostly breaking applications that are doing "bad things."

"Two things are breaking applications," he said. "[Applications that
have the] Windows firewall on by default, and Microsoft made a lot of
changes in how Windows handled remote procedure calls, forcing them to
be authenticated.

"So, the firewall is sort of forcing applications to work in a more
secure way," he said. "That's breaking some of them—mostly gaming and
things that try to communicate on the Internet. And remote procedure
calls - sloppy programming done in Windows that was taken advantage of
by programmers."

Some Oracle users said they'd welcome a shift to a monthly
patch-release schedule. "That seems to me to be the best of both
worlds," said Kelly Cox, an Oracle DBA who runs a small consultancy in
Alexandria, Va. "With [a monthly release], you still need to wait a
little bit, but at least they'll bundle it. The only problem is
waiting for that [once-a-month date]."

More information about the ISN mailing list