Flaw hunters pick holes in Oracle patches
Software maker is coming under increased fire from security researchers who say its patch process is "years behind" other companies.
A quarterly patch update sent out by the company last week contained fixes for a laundry list of flaws affecting much of its lineup. But it left out some vulnerabilities that prominent security researcher David Litchfield expected to be tackled--leading him to call for a security overhaul at Oracle, including the resignation of its chief security officer.
"That was the last straw," said Litchfield, a security researcher and co-founder of U.K.-based Next Generation Security Software. "I was extremely disgusted and upset, and I think their customers should take umbrage too. Oracle needs to re-address their security philosophies--their understanding of what security is and what it means."
What's new:
Oracle has come under increased fire from security researchers, who say the software maker's patch process needs to improve.
Bottom line:
Now that Microsoft has shaped up on security, the spotlight is turning elsewhere--and Oracle, working to integrate acquired technologies, makes for a large target.
Litchfield is not alone in his critique of the database giant. Other security researchers have joined him in accusing Oracle of plugging holes too late, of delivering low-quality patches that need their own updates, and of not actually fixing vulnerabilities but merely applying a Band-Aid to block the sample attack code provided by researchers.
"Oracle is years behind Microsoft and other companies on security," said Cesar Cerrudo, CEO at information security services company Argeniss in Argentina. "I think Oracle is an amateur when it comes to security right now."
Oracle chose not to comment for this story.
With Microsoft, once the object of bug-related complaints, now earning kudos from researchers and analysts for its security efforts, the spotlight is turning elsewhere. Oracle is a likely target. The Redwood Shores, Calif., company's enterprise software portfolio has grown fast in recent years as it has picked up rivals in an acquisition spree.
While Oracle has been
Some professional flaw-finders are not convinced. As a case in point, Litchfield referred to Oracle's August 2004 security release, which included patches for issues he had reported to the company eight months earlier. The repairs didn't really work, he said. With a slight modification, the sample attack he had submitted worked again. "It looks like they attempted to stop the exploit as opposed to fixing the bug," he said.
Litchfield, who has been scrutinizing Oracle's security for some time, was hoping Oracle would finally put the issue right in its bulletin last week, but it did not. The bugs could be exploited by a user with low-level privileges to gain full access to an Oracle database, he said.
What's unclear is whether the bugs have resulted in any data theft or corruption. Big companies--the bulk of Oracle's customer base--rarely discuss such issues in public.
Timely response
How much time there should be between the identification of a vulnerability and the availability of a patch has long been the subject of debate between researchers and software vendors. It depends on many variables, including whether details of the flaw are public and the quality and complexity of the code involved.
In general, researchers who find software bugs report those to the vendor, following "responsible disclosure" guidelines favored by the software industry. They then keep the vulnerability details private
until a fix is provided and expect a credit in the vendor's security notice. Often researchers urge software makers to issue a fix soon, arguing that if they can find the bug, criminal hackers could too and start creating a worm or other threat.The ideal is not to have to deal with a time lag or even vulnerabilities at all, said Ed Amoroso, chief information security officer at AT&T. "Vendors should be selling software without bugs," he said. If there are flaws, they should be fixed right away, he added.
Some researchers will put pressure on software makers by saying they will release details of a vulnerability within a certain number of days. eEye Digital Security, for example, regards a patch as "overdue" 60 days after it has reported a vulnerability, said Steve Manzuik, security product manager at the Aliso Viejo, Calif.-based company.
On its Web site, eEye lists flaws in Microsoft, RealNetworks and Macromedia products that it believes should have been put right by now. "But Oracle is definitely worse," Manzuik said. "They have taken over 600 days to release patches. The worst we have seen Microsoft do is in the 300-day range."
Alexander Kornbrust, who specializes in Oracle security, said there are 20 bugs in Oracle products found by him that are still outstanding. By comparison, eEye lists seven unresolved Microsoft flaws. Kornbrust, who runs Germany's Red Database Security, said there are at least 30 Oracle issues found by other researchers that remain to be addressed.
Quality control
Beyond time to patch, Oracle is under fire for the quality of its software updates. Often users run into installation trouble, and the patches regularly need their own fixes, Kornbrust said. Those problems indicate that Oracle does not do enough testing, he said.
In the entire process of putting out a patch, testing typically eats up the most time, experts said. The actual identification of the security issue and replication of it are usually done quickly. The fix then needs to be tested for compatibility, to ensure it doesn't break anything.
Oracle's chief security officer, Mary Ann Davidson, said in a July perspective piece for CNET News.com that the time needed to complete that testing was one of the reasons why it might take a software maker awhile to deal with a security issue. She also pointed to the need to dovetail a range of fixes and the need to patch for multiple platforms as other drags on the process.
"A two-line code change can take five minutes, but getting a fix into customers' hands in such a way that they will apply it takes way more than a few minutes," she said.
Even so, the recent history of Oracle's security updates suggest that the company does not pay attention to security throughout its development process, said Michael Gavin, a senior analyst at Forrester Research.
"Far too many software development companies give short shrift to the maintenance of existing products. The problems with Oracle patches this year indicate that Oracle is one such company," he said.
If Oracle wants to be taken seriously when it comes to security, it needs rigorous security processes at every stage in software development, Gavin said. He pointed to Microsoft as an example of a manufacturer that has its security ducks in a row.
"It seems that Microsoft has learned this lesson. Oracle has not," he said. "Oracle has talked the talk without walking the walk, while Microsoft has spent a fortune in time and money to improve the security of its software and has made incredible headway."
Since launching its Trustworthy Computing Initiative three years ago, Microsoft has changed the way it develops software in order to
make its technology more secure. It has a "security development lifecycle process" aimed at vetting code before pushing out products, for example.Customer discontent helped push Microsoft into cleaning up its act, but outside of some minor grumbling, a similar groundswell has yet to be seen with Oracle. One customer, Daniel Morgan, a member of the Puget Sound Oracle Users Group in Mercer Island, Wash., said he is happy with the company's security practices.
"Of course we would like the patches faster," said Morgan, the education chair of the PSOUG and an Oracle instructor at the University of Washington. However, users understand that Oracle technology is mature and that patch testing takes time, he said.
"We also know that our vulnerabilities are not like the vulnerabilities at the operating-system level. Our databases are almost universally behind firewalls, running on Unix-based servers and not really vulnerable to the horde of (hacking) teenagers," he added.
Community chest
In the past, Oracle has had a rocky relationship with the community of security researchers. In her perspective piece, Davidson described as a "problem" those who threaten vendors with disclosure of bugs.
"The reality is that most vendors are trying to do better in vulnerability handling. Most don't need threats to do so," she said.
For their part, researchers said that unlike other major software houses, Oracle seems to view reports of vulnerabilities as unwanted criticism rather than useful feedback. "Oracle says that life would be much better without us. That is not true--we are not the enemy," Kornbrust said.
But Pete Lindstrom, a director at research firm Spire Security, believes flaw finders are at the root of the conflict, not Oracle. "I really question the motives of the security researchers," he said. "They are techno-elitists requiring ego-stroking, and the end-users are caught in that crossfire."
Security researchers are purists who want every bug squashed, Lindstrom said. "Everyone else wants software that is secure enough--simply, that you have no compromises against vulnerabilities in the software. It is not that you eliminate all vulnerabilities from all software everywhere," he said.
Instead of helping security become more secure, the bug hunters are a burden, Lindstrom said. It is not true that criminal hackers are just behind them when it comes to uncovering bugs, he said. Instead, attacks always take advantage of bugs published by researchers, he said: "Maybe the good guys should stop finding bugs for the bad guys."