[ISN] Flaw hunters pick holes in Oracle patches

[InfoSec News]

http://www.zdnet.com.au/news/security/soa/Flaw_hunters_pick_holes_in_Oracle_patches/0,2000061744,39219523,00.htm

By Joris Evers
Special to ZDNet
28 October 2005

Oracle, the business software maker that has marketed its products as
"unbreakable," faces mounting criticism over its security practices.

A quarterly patch update sent out by the company last week contained
fixes for a laundry list of flaws affecting much of its lineup. But it
left out some vulnerabilities that prominent security researcher David
Litchfield expected to be tackled -- leading him to call for a
security overhaul at Oracle, including the resignation of its chief
security officer.

"That was the last straw," said Litchfield, a security researcher and
co-founder of UK-based Next Generation Security Software. "I was
extremely disgusted and upset, and I think their customers should take
umbrage too. Oracle needs to re-address their security philosophies --
their understanding of what security is and what it means."

Litchfield is not alone in his critique of the database giant. Other
security researchers have joined him in accusing Oracle of plugging
holes too late, of delivering low-quality patches that need their own
updates, and of not actually fixing vulnerabilities but merely
applying a Band-Aid to block the sample attack code provided by
researchers.

"Oracle is years behind Microsoft and other companies on security,"  
said Cesar Cerrudo, CEO at information security services company
Argeniss in Argentina. "I think Oracle is an amateur when it comes to
security right now."

Oracle chose not to comment for this story.

With Microsoft, once the object of bug-related complaints, now earning
kudos from researchers and analysts for its security efforts, the
spotlight is turning elsewhere. Oracle is a likely target. The Redwood
Shores, California, company's enterprise software portfolio has grown
fast in recent years as it has picked up rivals in an acquisition
spree.

While Oracle has been moving away from using the term "unbreakable" in
its marketing, the company still likes to boast about the security of
its products. In a meeting with reporters at Oracle OpenWorld in San
Francisco last month, CEO Larry Ellison boldly stated his software
does not have flaws. He did acknowledge, however, that problems do
arise -- but only when people customise the products, he said.

Some professional flaw-finders are not convinced. As a case in point,
Litchfield referred to Oracle's August 2004 security release, which
included patches for issues he had reported to the company eight
months earlier. The repairs didn't really work, he said. With a slight
modification, the sample attack he had submitted worked again. "It
looks like they attempted to stop the exploit as opposed to fixing the
bug," he said.

Litchfield, who has been scrutinising Oracle's security for some time,
was hoping Oracle would finally put the issue right in its bulletin
last week, but it did not. The bugs could be exploited by a user with
low-level privileges to gain full access to an Oracle database, he
said.

What's unclear is whether the bugs have resulted in any data theft or
corruption. Big companies -- the bulk of Oracle's customer base --
rarely discuss such issues in public.


Timely response

How much time there should be between the identification of a
vulnerability and the availability of a patch has long been the
subject of debate between researchers and software vendors. It depends
on many variables, including whether details of the flaw are public
and the quality and complexity of the code involved.

In general, researchers who find software bugs report those to the
vendor, following "responsible disclosure" guidelines favoured by the
software industry. They then keep the vulnerability details private
until a fix is provided and expect a credit in the vendor's security
notice. Often researchers urge software makers to issue a fix soon,
arguing that if they can find the bug, criminal hackers could too and
start creating a worm or other threat.

The ideal is not to have to deal with a time lag or even
vulnerabilities at all, said Ed Amoroso, chief information security
officer at AT&T. "Vendors should be selling software without bugs," he
said. If there are flaws, they should be fixed right away, he added.

Some researchers will put pressure on software makers by saying they
will release details of a vulnerability within a certain number of
days. eEye Digital Security, for example, regards a patch as "overdue"  
60 days after it has reported a vulnerability, said Steve Manzuik,
security product manager at the Aliso Viejo, California-based company.

On its Web site, eEye lists flaws in Microsoft, RealNetworks and
Macromedia products that it believes should have been put right by
now. "But Oracle is definitely worse," Manzuik said. "They have taken
over 600 days to release patches. The worst we have seen Microsoft do
is in the 300-day range."

Alexander Kornbrust, who specialises in Oracle security, said there
are 20 bugs in Oracle products found by him that are still
outstanding. By comparison, eEye lists seven unresolved Microsoft
flaws. Kornbrust, who runs Germany's Red Database Security, said there
are at least 30 Oracle issues found by other researchers that remain
to be addressed.


Quality control

Beyond time to patch, Oracle is under fire for the quality of its
software updates. Often users run into installation trouble, and the
patches regularly need their own fixes, Kornbrust said. Those problems
indicate that Oracle does not do enough testing, he said.

In the entire process of putting out a patch, testing typically eats
up the most time, experts said. The actual identification of the
security issue and replication of it are usually done quickly. The fix
then needs to be tested for compatibility, to ensure it doesn't break
anything.

Oracle's chief security officer, Mary Ann Davidson, said in July that
the time needed to complete that testing was one of the reasons why it
might take a software maker a while to deal with a security issue. She
also pointed to the need to dovetail a range of fixes and the need to
patch for multiple platforms as other drags on the process.

"A two-line code change can take five minutes, but getting a fix into
customers' hands in such a way that they will apply it takes way more
than a few minutes," she said.

Even so, the recent history of Oracle's security updates suggest that
the company does not pay attention to security throughout its
development process, said Michael Gavin, a senior analyst at Forrester
Research.

"Far too many software development companies give short shrift to the
maintenance of existing products. The problems with Oracle patches
this year indicate that Oracle is one such company," he said.

If Oracle wants to be taken seriously when it comes to security, it
needs rigorous security processes at every stage in software
development, Gavin said. He pointed to Microsoft as an example of a
manufacturer that has its security ducks in a row.

"It seems that Microsoft has learned this lesson. Oracle has not," he
said. "Oracle has talked the talk without walking the walk, while
Microsoft has spent a fortune in time and money to improve the
security of its software and has made incredible headway."

Since launching its Trustworthy Computing Initiative three years ago,
Microsoft has changed the way it develops software in order to make
its technology more secure. It has a "security development lifecycle
process" aimed at vetting code before pushing out products, for
example.

Customer discontent helped push Microsoft into cleaning up its act,
but outside of some minor grumbling, a similar groundswell has yet to
be seen with Oracle. One customer, Daniel Morgan, a member of the
Puget Sound Oracle Users Group in Mercer Island, Washington, said he
is happy with the company's security practices.

"Of course we would like the patches faster," said Morgan, the
education chair of the PSOUG and an Oracle instructor at the
University of Washington. However, users understand that Oracle
technology is mature and that patch testing takes time, he said.

"We also know that our vulnerabilities are not like the
vulnerabilities at the operating-system level. Our databases are
almost universally behind firewalls, running on Unix-based servers and
not really vulnerable to the horde of (hacking) teenagers," he added.


Community chest

In the past, Oracle has had a rocky relationship with the community of
security researchers. In her perspective piece, Davidson described as
a "problem" those who threaten vendors with disclosure of bugs.

For their part, researchers said that unlike other major software
houses, Oracle seems to view reports of vulnerabilities as unwanted
criticism rather than useful feedback. "Oracle says that life would be
much better without us. That is not true -- we are not the enemy,"  
Kornbrust said.

But Pete Lindstrom, a director at research firm Spire Security,
believes flaw finders are at the root of the conflict, not Oracle. "I
really question the motives of the security researchers," he said.  
"They are techno-elitists requiring ego-stroking, and the end-users
are caught in that crossfire."

Security researchers are purists who want every bug squashed,
Lindstrom said. "Everyone else wants software that is secure enough --
simply, that you have no compromises against vulnerabilities in the
software. It is not that you eliminate all vulnerabilities from all
software everywhere," he said.

Instead of helping security become more secure, the bug hunters are a
burden, Lindstrom said. It is not true that criminal hackers are just
behind them when it comes to uncovering bugs, he said. Instead,
attacks always take advantage of bugs published by researchers, he
said: "Maybe the good guys should stop finding bugs for the bad guys."