Security threats Toolkit

The eye of Oracle's security storm

Tags:
Oracle Flaws,
Unbreakable,
David Litchfield

Michael Parsons ZDNet

Published: 04 Aug 2004 14:55 BST

Are the flaws generic database issues, or more Oracle-specific?
There are some generic issues with these flaws, but some are extremely Oracle-specific, and most I would class as critical. One allows an attacker without a user ID and password to get complete control of the database remotely, so if the Oracle database firewall can be bypassed, then the server can be owned by an attacker. The other flaws allow low level guest users to get complete control of the database -- so these are critical. Some are denial of service; for some people if they are processing millions of pounds an hour then denial of service becomes critical.

Did you approach The Wall Street Journal with the story?
No. After I presented my talk, David Banks with The Wall Street Journal was one of the journalists who approached me after. In a sense all software has flaws, it's nothing new, but what has kicked up a storm is that these patches have been ready for months, yet Oracle has sat on them.

Why do you think the patches were delayed?
The reason they haven't delivered those patches is because they are updating their patch delivery process. Of course it's good to streamline their patch process mechanism but you have to keep running the old one until the new one is ready. I don't have a problem with a company taking ten months to a year patching, providing they are making the best effort to make a robust patch -- but I am against people sitting on patches for a couple of months once they're actually written. Oracle could learn a few lessons from the Microsoft approach.

Does this batch of problems merit the attention they're getting?
I have described all this as a storm in teacup, as all software has flaws, but if you say your product is unbreakable, perhaps it isn't. To market your products as unbreakable is flawed, but to sit on patches -- well, I don't see Oracle's customers getting any benefit from that. Oracle has not tried to contact me, but one would assume that it would have caused them a headache, but if their customers are going to be protected sooner than they would have otherwise have been, that's a worthy sacrifice. If people want to label me as a troublemaker, so be it, as long as customers are protected. I think I've acted responsibly; I protected them when they failed to provide patches they had said they would provide. I have given Oracle a bit of a headache because they've got to release the patches more quickly than they had planned to.

What should IT managers do about them?
It's important that people approach this calmly, and they need to do a proper security review, think about designing and configuring their servers on the principal of least privilege, so if a user doesn't need the functionality, you don't give them access to it. Employing the principle of least privilege will help alleviate a lot of these issues. Install those patches on test systems, make sure they work, and then get them on to production systems. People have to patch quickly.