[ISN] Q&A: Oracle exec says users get enough flaw info
isn at c4i.org
Mon Jan 23 02:24:19 EST 2006
By Jaikumar Vijayan
JANUARY 20, 2006
As senior director of security assurance at Oracle Corp., Duncan
Harris is in charge of the company's vulnerability remediation
processes. He also manages a team of "ethical hackers" at Oracle's
Reading, England, software lab whose job is to find flaws in the
vendor's products. Following Oracle's latest quarterly patch release
this week (see "Oracle releases patches for 82 flaws" ), Harris
spoke with Computerworld about the company's patching policies and its
relationship with the IT security community.
Oracle just announced patches for 82 vulnerabilities. Why so many?
Oracle doesn't shy away from fixing flaws publicly through our
Critical Patch Updates. We don't hide our internally discovered
vulnerabilities. When we discover something internally, we still
mention it in our Critical Patch Updates. Other vendors, as the
security community knows, may be doing silent fixes. It is something
we don't believe in. That is part of the explanation for the large
number of vulnerabilities. Certainly, there is also much more
attention being paid to Oracle for whatever reason.
Critics say Oracle doesn't share enough vulnerability information for
users to make proper risk assessments. Why don't you disclose more
The comparison is quite clearly with Microsoft's monthly updates. You
have to remember that Windows updates are clearly aimed at client
machines. Oracle has client-side products, some of which are quite
important, but our fundamental focus is on the server side. Comparing
this to the monthly patching that Microsoft does is like comparing
apples and oranges. It really is quite different to have a systems
administrator patch a server-side system and a small client.
Why do you think the security community is so unhappy with Oracle?
In terms of working with the security community, we work very well
with those that are happy to abide by the security vulnerability
handling processes, which we have published on our Web site for anyone
to see. There are others who for their own good reasons choose to
pressure us and put our customers at risk by a partial or early or
zero-day disclosure of vulnerabilities in Oracle products. I assume
that is part of their marketing method to potentially increase their
consulting business. Our "Unbreakable" [advertising] campaign was also
a bit of a red flag, which may be another reason why there is so much
attention being paid to Oracle by security researchers.
How long does it take for Oracle to fix flaws?
It absolutely depends on their severity. The Critical Patch Update
that we [just] issued -- one of the vulnerabilities there was reported
to Oracle in November. There is another that was reported to Oracle
800-plus days ago by external researchers. That is not something we
are proud of, [but] it points to the fact that we fix vulnerabilities
in order of severity. We are making substantial efforts to refine the
infrastructure such that reports of vulnerabilities being more than
two years old should be a thing of the past. Perhaps in a year's time
it will be. But I do anticipate that for the remainder of 2006, you
will see security researchers declaring that vulnerabilities they
reported two years ago have just been fixed.
How many of your vulnerabilities are discovered internally?
If you look at all of the vulnerabilities that my security group
handles, we discover about 75% of them. About 10% is reported to us by
our customers. The remainder comes to us through external security
How has your vulnerability remediation processes evolved over the past
We have seen a substantial move starting over four or five years ago
whereby real-world hackers and security researchers started turning
their attention more and more to applications that sit on top of the
operating system. There has been a substantial targeting of database
and applications. About March 2001, Oracle was tracking exactly nine
security vulnerabilities across our whole product stack. Eighteen
months later, in September 2002, we were tracking 62. We've had to
substantially change parts of our infrastructure to cope with the
More information about the ISN