[ISN] Security Researchers Call for More Info from Oracle

InfoSec News isn at c4i.org
Thu Sep 2 07:51:35 EDT 2004


By Lisa Vaas 
September 1, 2004     

Oracle's first monthly rollout of patches threw security researchers
into a tizzy Wednesday as they complained of a lack of information on
which vulnerabilities had actually been fixed and what Oracle software
components had been affected.

"Oracle's a little tight-lipped on what they've fixed and what they
haven't fixed, and they haven't described in any detail at all what
the security problems are," said Aaron Newman, database security
expert, chief technology officer and co-founder of Application
Security Inc. New York-based Application Security is a security
software company that discovered about 20 of the vulnerabilities
covered in the patch release, which researchers estimated covers 60 to
100 bugs and vulnerabilities.

"Oracle is making some good approaches, rolling out monthly patches to
resolve these issues," said Noel Yuhanna, an analyst at Forrester
Research Inc., in Santa Clara, Calif.

"But again, what issues are being resolved? Oracle needs to be clear
on that and keep customers up to date on what issues exist and how
they should overcome them with patches."

In addition, researchers noted that there are still outstanding
vulnerabilities that await patching. "We still have a number of open
ones with Oracle," said Stephen Kost, chief technology officer at
Integrigy Corp., which found five to 10 of the vulnerabilities

"They didn't fix anything in the ERP [enterprise resource planning]
suite." Oracle has known about some still-unfixed vulnerabilities for
more than a year, according to multiple researchers, although none of
the known vulnerabilities have resulted in any known exploits.

Oracle Corp. declined to comment further than it did Tuesday when it
released the patches.

But although more communication from the Redwood Shores, Calif.,
database company would be welcome, many say the accumulating swamp of
security flaws is not indicative of a failure on Oracle's part, but
rather has to do with the increasing complexity of its products.  
"People come to it from a high-level perspective and say, 'Everything
should be fixed in 90 days,'" said Integrigy's Kost. "That's not
realistic. Oracle takes a long time on everything."

Furthermore, growing pains are to be expected as Oracle becomes more
ubiquitous and as security researchers focus their attention on
ferreting out flaws in its products. "Oracle in the past has been very
responsive in delivering security patches," Yuhanna said.

"But there have been very few of them. Now that there's too many of
them coming together [in clusters], it's a challenge to Oracle," he
said. "They need to streamline the process and make it effective
within Oracle and make sure customers follow the right approach—and
convey the right message that these patches get deployed as
appropriate to the given environment."

Oracle products have long had a reputation of being secure and stable,
of being supported by a DBA (database administrator) population with
above-average skills, and of being protected behind firewalls at a
higher rate than rival databases. Still, Yuhanna said, with the flood
of new features that have been packed into the latest release,
Database 10g, security problems were bound to arise.

"I feel that Oracle focused more on delivering more features and
functionality in 10g rather than securing Oracle itself," he said.  
"They want to deliver more features and functionality, and security
was not a top priority."

But any glitches associated with Oracle's first monthly rollout are
bound to be ironed out in coming releases, Yuhanna predicted. "They
obviously promised to deliver these patches by the 31st, and they've
done it," he said. "Oracle hasn't been accustomed very much to
security patches as other vendors have been, so the whole process of
management is coming to light, and Oracle's trying to refine the
process and make sure they do a good job delivering the patches.

"Given that this is the first major rollout, I think, going forward,
they will be more cautious about deploying newer versions and making
sure they're more secure, just like Microsoft [Corp.], which is now
taking security more seriously than ever before," he said.

ASI's Newman said his company is telling clients to consider the
recent patch a point update and to perform appropriate testing, since
the patch fixes so many problems. "They'll have to do more testing
than they would normally for a security release," he said. "It's
amazing how Oracle went from fixing one buffer overflow to 20 or 30
buffer overflows in the patch. I think they got swamped. A lot of
people started looking at it and pulling back the covers and finding

More information about the ISN mailing list