Security threats Toolkit

The eye of Oracle's security storm

Tags:
Oracle Flaws,
Unbreakable,
David Litchfield

Michael Parsons ZDNet

Published: 04 Aug 2004 14:55 BST

David Litchfield, managing director of UK security software firm Next-Generation Security Software, found himself in the eye of a media storm after he pointed out some security flaws in Oracle's core database software at the Black Hat Security Briefings in Las Vegas last week.

Litchfield spoke to ZDNet UK about the background to his decision to go public with Oracle's problems even though some observers have accused him of being a troublemaker.

Have you been monitoring Oracle's security issues for a while?
There were press reports that I started pointing out Oracle security flaws once they launched their Unbreakable campaign, but that's not true. I was looking at Oracle products for security flaws before then, not just Oracle, but IBM, Microsoft and others. If you look at their own Oracle security alerts you'll see my name in there credited as finding various vulnerabilities before then. It probably came to most people's attention during the Oracle Unbreakable campaign, simply because that attracted a lot of media attention at the time.

What's the background to your most recent speech, which triggered all this discussion?
This time last year I was set to give a paper at a BlackHat conference about some flaws. Oracle promised that the patches would be ready before my talk, but five minutes before I was due to go on they told me they weren't ready. So I had to throw away my notes and give my speech off the cuff. Luckily I had enough material to talk about something else. I took that decision because if I had spoken about the flaws, I would have exposed customers to risk; I chose not so speak about it, which was the correct and responsible thing to.

So what happened this time?
This year I was going to be speaking on a new set of Oracle flaws. In January of this year I found about 34 in all and in March I decided to use them for my talk at BlackHat, so having informed Oracle they said again, "Don't worry, they'll be patched." I checked before I made the speech and once again the patches were not available. This time they flaws were not integral to the speech, so I was able to speak generally about PLS/SQL injection, which essentially allows an attacker to inject their own code to an application which has been written in PSL/SQL, and get super user privileges. What I had intended on doing was illustrating it with a real-world example, but because they hadn't fixed their patches, I spoke about the generic issues, and I didn't actually mention the specific flaws.