Asent out by the company last week contained fixes for affecting much of its lineup. But it left out some vulnerabilities that prominent security researcher David Litchfield expected to be tackled--leading him to call for a security overhaul at Oracle, including the resignation of its chief security officer.
"That was the last straw," said Litchfield, a security researcher and co-founder of U.K.-based Next Generation Security Software. "I was extremely disgusted and upset, and I think their customers should take umbrage too. Oracle needs to re-address their security philosophies--their understanding of what security is and what it means."
Oracle has come under increased fire from security researchers, who say the software maker's patch process needs to improve.
Now that Microsoft has shaped up on security, the spotlight is turning elsewhere--and Oracle, working to integrate acquired technologies, makes for a large target.
Litchfield is not alone in his critique of the database giant. Other security researchers have joined him in accusing Oracle of, of delivering low-quality patches that need their own updates, and of not actually fixing vulnerabilities but merely applying a Band-Aid to block the sample attack code provided by researchers.
"Oracle is years behind Microsoft and other companies on security," said Cesar Cerrudo, CEO at information security services company Argeniss in Argentina. "I think Oracle is an amateur when it comes to security right now."
Oracle chose not to comment for this story.
With Microsoft, once the object of bug-related complaints, now earning kudos from researchers and analysts, the spotlight is turning elsewhere. Oracle is a likely target. The Redwood Shores, Calif., company's enterprise software portfolio has grown fast in recent years as it has picked up rivals in an .
While Oracle has been in its marketing, the company still likes to boast about the security of its products. In a meeting with reporters at Oracle OpenWorld in San Francisco last month, CEO Larry Ellison boldly stated his software does not have flaws. He did acknowledge, however, that problems do arise--but only when people customize the products, he said.
Some professional flaw-finders are not convinced. As a case in point, Litchfield referred to Oracle's August 2004 security release, which included patches for issues he had reported to the company eight months earlier. The repairs didn't really work, he said. With a slight modification, the sample attack he had submitted worked again. "It looks like they attempted to stop the exploit as opposed to fixing the bug," he said.
Litchfield, who has been, was hoping Oracle would finally put the issue right in its bulletin last week, but it did not. The bugs could be exploited by a user with low-level privileges to gain full access to an Oracle database, he said.
What's unclear is whether the bugs have resulted in any data theft or corruption. Big companies--the bulk of Oracle's customer base--rarely discuss such issues in public.
How much time there should be between the identification of a vulnerability and the availability of a patch has long been the subject of debate between researchers and software vendors. It depends on many variables, including whether details of the flaw are public and the quality and complexity of the code involved.
In general, researchers who find software bugs report those to the vendor, following "" guidelines favored by the software industry. They then keep the vulnerability details private