Security Researcher Says Oracle Slow to Fix Flaw 91
Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"
A Cultural Thing? (Score:4, Interesting)
Oracle borrowing from the Microsoft Security-Fixing Playbook?
"we'll get around to it when we get around to it and not a moment sooner"
Oracle borrowing Microsoft's tactics? What next, alerting Department of Homeland Security?Litchfield is al qaeda, you betcha!
Honestly we can't blame this tactic on Microsoft, though they have been highly visible in this regard, due to their high volume of security flaws. It's almost as bad as a bunch of automaker executives running away from a flaming car and blaming it on Ralph Nader.
that flaming car, ralph's fault, he's al-qaeda, too.
Small wonder people have no problem at all in buying imported products and services considering the culture of ass-covering in the United States. Remember when american made goods were the best in the world? Seems a distant memory now.
prepare a statement to the media which blames others for the problem, distances us from it and doesn't harm our stock value, oh and discontinue our practice of sending out new versions/models for review, tell everyone they just have to trust us that everything is fine and not very many people died horrible flaming death during testing of the software and/or new car model
Re:A Cultural Thing? (Score:4, Funny)
I'm pretty sure that metaphore is bad enough to make baby Jesus cry. I have absolutely no clue how a software company taking longer than 3 months to patch code that could have tens of millions of lines is like automakers blaming a car explosion on ralph nader because he's al queda....
I understand that you want to try and make everything a political argument about how much America and/or Bush and/or Republicans and/or the intelligence community and/or Congress sucks, but seriously... a software patch?
Re:A Cultural Thing? (Score:2, Informative)
You either misunderstand on purpose or not, but as you've suddenly skewed into the political arena at the 12th word of that sentence, I suggest you re-read the subject line and consider how you're under that blanket, too.
Re:A Cultural Thing? (Score:1, Redundant)
No no no, you don't get to tell me I "misunderstand" because I called you on your veiled political swipes that had NOTHING to do with the discussion.
Re:A Cultural Thing? (Score:1)
"veiled political swipes"???
One reference to a company running screaming to the government to help it cover it's ass, which has an actual basis in fact (Microsoft willing the government to prevent revelations of Windows security holes on the grounds of National Security) is an attack on Bush and/or Republicans and/or the intelligence community and/or Congres
Re:A Cultural Thing? (Score:2)
No, it was two references to trying to hide behind an al queda defense and a "you betcha" reference. You can't seriously think that I was the one ma
Re:A Cultural Thing? (Score:1)
Yep, I surely do. You're way off base. You should consider through what colour glasses you are reading and how you arrived at your conclusion. It'll save you a lot of huffing and puffing in the future.
Re:A Cultural Thing? (Score:2, Funny)
Re:A Cultural Thing? (Score:2, Informative)
Again, to be fair to Microsoft, I don't think they wrote it, they've just updated it a bit.
Back in 1985 I was introduced to the concept of BS'ing on an expensive product from an american company. I truly wasn't expecting a company to utterly flee any responsibility. As it was out of my own time and money the expenses were coming to remedy problems I was acutely in tune with what was transpiring. Why oviously defecti
Re:A Cultural Thing? (Score:5, Funny)
I'm only 34, so, no.
Re:A Cultural Thing? (Score:2, Interesting)
I'm only 34, so, no.
Not actually that long ago for many things. I've still got a set of sockets, one of which withstood 175 ft/lbs of torque to remove a stubborn headbolt on an AMC 360 V8 (the engine was wrecked by a dropped valve and shattered piston, but in the sort of grim fascination engineering types hold for such things, we just had to take it apart to see the carnage). Two taiwanese sockets (lifetime guarantee!) split at about 90 ft/l
Re:A Cultural Thing? (Score:1)
... or just a chance to bash security researchers? (Score:1)
But, hey, I'll let you all judge. Here's his
Re:A Cultural Thing? (Score:1)
Really a problem? (Score:4, Insightful)
I am a programmer and when I find bugs in my code "pre-release" I find it benefitial. However, some of the bugs I have to spend a substantial amount of time debugging to finally find a fix.
With the code as large as Oracle's code is.. it could take an extremely long time.
This is unfortunate.
Re:Really a problem? (Score:3, Interesting)
If Oracle can't fix the problem in 3 months, at least they could inform their own customers so they could take protective measures of their own. That Oracle could do inside of 3 months no matter how complex the bug is to finally fix.
Re:Really a problem? (Score:2, Informative)
http://www.securityfocus.com/archive/1/423029 [securityfocus.com]
Re:Really a problem? (Score:3, Interesting)
I admin an Oracle database, and I am not a fan (I am also NOT a DBA, its just a small part of my job for bioinformatics research). With the latest worms and whatever security announcements, it seems as a registered and paying metalink member, I should quickly and easily downloa
Re:Really a problem? (Score:1)
Over what, 1200 baud? Where you trying to whistle into a modem with a microphone?
I can find "the latest patches" in... lessee.
Login.
Click tab at top right called "Patches and Updates" -- deviously named and not at all intuitive.
On the next page, there's:
Simple Search
Advanced Search
E-business Suite Recommended Patch List
Quick Links to the Latest Patchsets, Minipacks, and Maintenance Packs
Your Saved Searches
Wow... where to go next? If you're cra
Re:Really a problem? (Score:5, Interesting)
If they can't fix it immediately, then they should let him know WHEN they're going to fix it. David announced this because he was expecting a fix in the January update, and it was not there.
On top of this, for the past few months he's been complaining about the fact that some of the vulnerabilities he has told Oracle about have gone unpatched for 2+ years. He has already tried the "responsible disclosure" route with Oracle. They're just not being responsive.
I think that his announcement and others like it will be the only way to get Oracle to respond. I'm just worried about what this means for the next X months.
Rather than denigrate Litchfield... (Score:2)
...Oracle should contact him immediately, and determine any schedule he may have on revealing further security flaws.
I assume that Litchfield has additional bombshell revelations in store, and it is obvious that he has run out of patience.
Oracle should be silent on criticism of Litchfield, and they should quickly triage which problems they intend to solve, and when.
p.s. Oracle should also stop distributing Apache. Their version has more holes than swiss cheese.
Re:Really a problem? (Score:1)
Actually, this doesn't appear to be a problem in the db server software, but with an Apache module they distribute:
The flaw occurs in the way that a module in Oracle's Apache Web server distribution handles input and could give external attackers the ability to take control of a backend Oracle database through the Web server, said David Litchfield
If this is the case, it would seem that the amount of code should be significantly smaller than what you might imagin
It's not a fundamental bug (Score:2, Insightful)
While sometimes there are fundamental design problems, this doesn't look like such a case.
(And in such a case, you should explain to the problem reporter why this is an exceptionally difficult bug and ask for an exceptiona
Re:Really a problem? (Score:3, Informative)
Okay, hang on. I know Litchfield, and he's no dummy (and he's a coder as well). First of all, Oracle isn't one guy debugging the code, as you are; it's a whole huge company, with literally thousands of programmers. Their code is in a system like Rational, which helps with modeling as well (thus enabling people to find the sections of code that control various aspects of the software...so you don't have to go looking through
Re:Really a problem? (Score:2)
You make a valid point, as a software developer I too have run into bugs for which the solution was not a simple one. That being said, the users of Oracle are paying outrageous prices for the database and in doing so expect that Oracle will move mountains if needed to find a quick solution to the problem. They could get it done faster if it was a priority for them, and with the cost of Oracle I would expect them to put 500 developers on the problem if that'
Re:Really a problem? (Score:1)
What alternative? Most large organizations that use Oracle have so much invested in that company, there is no alternative! It's too expensive to switch, even if there was one...
Re:Really a problem? (Score:2)
Re:Really a problem? (Score:2, Informative)
With the code as large as Oracle's code is.. it could take an extremely long time.
Yes, but they could have at least published a workaround the problem, even if they don't have the fix in place. There is a 4 line change to the Apache setup which acts as a workaround for the problem; David Litchfield posted it to Bugtraq h
Who put their customers at risk!!?! (Score:3, Insightful)
So tell me again, Oracle, WHO put their customers at risk?
Re:Who put their customers at risk!!?! (Score:2)
This is precisely why EULAs were started--to shield commercial businesses from liability for producing (often knowingly) a seriously flawed product. EULAs are the devil.
Re:Who put their customers at risk!!?! (Score:2)
That's what vendor lock-in and consultants are for.
Re:Who put their customers at risk!!?! (Score:2)
Yeah, especially the ones with the line "This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." Those things are just plain evil!
Re: (Score:2)
Re:Who put their customers at risk!!?! (Score:2)
Now, that being said, three months without a fix and/or mitigation technique is a problem. That is how the discussion should be framed, or its just going to come across as a bunch of teeth nashing by knee jerk idiots.
who is to blame? (Score:2, Insightful)
Isn't Oracle the one who has put their customers at risk?
Who's putting customers at risk? (Score:5, Insightful)
Litchfield is putting Oracle's customers at risk? I don't think so. Oracle put their customers at risk, Litchfield merely told those customers they were at risk and in what way. He gave Oracle 3 months to either fix the problem or inform their customers, Oracle did neither, I'd say the problem's all of Oracle's making. If they'd placed their customer's security over their own PR in a reasonable timeframe, Litchfield wouldn't have had to embarrass them this way.
Another example of why "reasonable disclosure" doesn't work well.
Oracle's trump card (Score:2)
EULAs must die.
Re:Oracle's trump card (Score:1)
Re:Who's putting customers at risk? (Score:2)
Many are stopping, hence the screeches from companies. :)
My person rule about security-related bugs is that I'll give a company 1 month (30 days) from being notified to either a) release a fix, b) disclose the problem and any existing workarounds to the public, or c) get back to me with a really good reason why it's not possible to do either A or B (and "It'll embarrass us." is not
Re:Who's putting customers at risk? (Score:2)
Many are stopping, hence the screeches from companies. :)
My person rule about security-related bugs is that I'll give a company 1 month (30 days) from being notified to either a) release a fix, b) disclose the problem and any existing workarounds to the public, or c) get back to me with a really good reason why it's not possible to do either A or B (and "It'll embarrass us." is not a good reason). If there's evidence the problem's already being exploited (real exploits affecting computers at large, not pro
It's the other way around.. (Score:5, Insightful)
Re:It's the other way around.. (Score:2)
Huh? (Score:2, Insightful)
Researcher point of view (Score:5, Informative)
As bad as it is to publish unpatched vulnerabilities, it's worse if a company chooses to ignore security altogether. Ignoring security and suppressing vulnerability reports demands that vulnerabilities be published. People generally won't publish vulnerabilities if they see that the company it taking them seriously.
Full-Disclosure (Score:2)
Re:Blame it on the messenger, again (Score:3, Insightful)
Since you brought it up though, lets analyze the analogy. And only in terms of "security", which is what this
Intercepting communications from foreign people believed to be terrorists or connected to them:
* This activity's purpose is to prevent fut
Re:Blame it on the messenger, again (Score:2)
Baloney. It puts "we the people" at risk by eliminating judicial oversight.
no agenda here (Score:2)
What I was trying to say was that people can criticize something without having fear or being intimidated from speaking up. I have no political agenda here except free thought and speech.
people need to be realistic (Score:1, Troll)
Oracle's DB products are unbelievably complex pieces of code which support tens of thousands of dependencies from other pieces of code, many of which weren't even created by Oracle. It's not as simple as, "Hey. Let's throw this patch out on our website and tell everyone to install it."
This dude shows up with some kind of exploit and then has the gall to dictate to Oracle what their bugfix release schedule should be?!? That's a real narro
Re:people need to be realistic (Score:2)
More likely he wanted to publish the results of his research, since that would be the reason why he did the research in the first place. He wasn't trying to make Oracle jump through a hoop by releasing this info three months after he told them about it, he was d
Re:people need to be realistic (Score:1)
Of course, if you have an Oracle database running on a server in the wild that's vulnerable to this exposure, you're an idiot considering this vulnerability was known about months ago.
But none of that is relevant. If Big Company doesn't respond according to Slashdot's time constraints -- and right sprightly, too! -- well, they're evil. Actually more evil because they have wealth, power, and greater marketshare than all the OSS database engines, which is evil, a
Recall product (Score:1, Insightful)
RECALL THE PRODUCT!
That's what car makers do.
And yes, software is critical.
Re:Recall product (Score:1, Informative)
When customers such as government agencies and hospitols rely on your product to store their data, it is pretty damned critical. If you were a patient in a hospitol, the database could be life or death to you.
Re: (Score:1)
Mission critical Info (Score:1)
ever heard of regression testing? (Score:4, Interesting)
Yes, the bug puts their customers at risk, but detailing the exploit for everyone to see REALLY DOES HELP THE BAD GUYS. Otherwise they have to figure it out for themselves, which is quite a bit harder.
Re:ever heard of regression testing? (Score:2)
He's a smart guy, I'm sure, but there are plenty of smart people and not all of them are on the side of actually helping security. For all we know there could be someone else who figured this out and has been exploiting it perhaps in ways that its even undetectable that there has actually been data theft or changes.
If administrators know about the problem they are better able to guard against it. Either by reconfiguring permissions on the
Re:ever heard of regression testing? (Score:2)
As a side note I work in the SOA and Web Application Server space as a developer. I know quite well how Oracle's app server works. When it initially came out it was merely a bunch of triggers and stored procedures that spit out HTML over a designated port.
Customers complained that it was a pain to extend as it did not support any major development platform (Java,
Re:ever heard of regression testing? (Score:3, Insightful)
If you would have read the fine article, you would have known that flaws in this particular piece of code have been discovered over the past few years, with each patch being inadequate in actually fixing it securely. You should think that 4 years would be enough for some regression testing.
Re:ever heard of regression testing? (Score:1)
The workaround is trivial; using mod_rewrite, which is compiled into
Oracle's Apache distribution it is possible to stop the attack. The
workaround checks a user's web request for the presence of a right facing
bracket, ')'.
Add the following four lines to your http.conf file then stop and restart
the web server
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack [127.0.0.1]
RewriteRule
Lesson #1: Do NOT Feed the Bears (Score:2)
Just one lesson to learn here is there needs to be some kind of standard procedure for notifying and working with companies with fl
Re:Lesson #1: Do NOT Feed the Bears (Score:2)
godless killing machines without a soul
Oh wait, this is Oracle...
Pot vs. Kettle (Score:2)
It would seem to me that what put Oracle's customers at risk was the security flaw itself, not someone's disclosure of it.
Gartner (Score:2)
http://news.com.com/Gartner+Oracle+no+longer+a+ba s tion+o [com.com]
Unbreakable (Score:1)
THIS JUST IN... (Score:2)
I agree with Oracle on this (Score:2)
After all, it *is* best practice to kill the messenger.
Ora ... who? (Score:2)
Not a rdbms vulnerability, per se (Score:2)
There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS
and the Oracle HTTP Server, that allows attackers to bypass the
PLSQLExclusion list and gain access to "excluded" packages and procedures.
This can be exploited by an attacker to gain full DBA control of the backend
database server through the web server.
This flaw was reported to Oracle on the 26th of October 2005. On November
the 7th NGS alerted NISCC (http://www.niscc.gov.uk/ [niscc.gov.uk] to t
Heroes, my things have changed... (Score:2)
A few months later, I noticed the same stuff getting generated, so I complained, and was told that it was fixed.
So I posted the information in an adminstrators newsgroup.
Suffices to say, I was BAD for publishing confidential information. I got my privs removed, threatened with expulsion, but hey, the problem w
there are two kinds of posts in this forum... (Score:1)
--
I am not an actor but I play one on TV
So, IF I report a fire (Score:2)
According to Oracle's way of thinking I am. So, I should NOT warn those in danger and just secretly call the Fire Department?
How lame does Oracle think people are... well, just as lame as Microsoft thinks they are. And they must be. Look how many put up with hole after hole after hole, and even defend MS on the blogs for not fixing holes.
People get EXACTLY what they allow, or worse.
Re:So, IF I report a fire (Score:2)
Networked DB? (Score:1)
-M
Solid Spin, Oracle! (Score:1)