Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle's Chief Security Officer Speaks Out

Posted by Zonk on from the talking-the-talk dept.

s0u1d13r writes "ZDNet Australia posted a special article from Oracle's CSO regarding the treatment and publishing of exploits and vulnerabilities by security researchers. From the article: 'There's a myth about security researchers that goes like this: Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly -- if at all -- if it weren't for noble security researchers using the threat of public disclosure to force them to act.' An interesting read from the perspective of one of the largest software vendors accused of ignoring vulnerabilities by software researchers."

3 of 112 comments (clear)

  1. But that's true, at least for extensive vulns by melted · · Score: 5, Interesting

    But that's true, at least for extensive vulnerabilities that can require a lot of effort to fix and/or test!

    Let's see, you're a development manager and you have a crazy schedule forced on you from above by some idiotic VP. Now this guy from product support comes along and tells you about this horrible flaw that will require you to shut down all development for two weeks, slip the schedule and have your best people fix it. Then you shut down testing for a month and have your best testers test it. Then there's a pain of pushing out a patch and notifying the customers and bad PR associated with that.

    I can easily see how some of the less obvious vulnerabilities would be simply brushed off using "no one is ever going to find out" line of reasoning. Now if you know that someone has already found out and he will make it public in about a month, sure as heck you're going to issue a patch, even if this means slipping the schedule by a month (or in case of Windows by two years). Because if you don't, script kiddies will rape your customer and he will never give you another dollar.

    1. Re:But that's true, at least for extensive vulns by gclef · · Score: 5, Informative

      The problem is, a few of the recently-released ones had lag times measured in *years*. Oracle can whine all they like about unrealistic deadlines from researchers, but a few years is far too long to sit on something.

      My reference for the years comment:
      http://www.red-database-security.com/advisory/publ ished_alerts.html

      They waited over 600 days for Oracle to patch some vulns. There's no excuse for that.

  2. Re:Deparment of Homepage Security by fimbulvetr · · Score: 5, Interesting

    This is bullshit.

    Oracle does _not_ take vulnerabilites seriously. I agree that the oracle database is extremely complex, and the implications of bugs is enormous, but it's not inherently complex. Because of this, claiming that they don't release patches because it's complex is bullshit. Oracle does not need to be as complex as it is.

    First, the complexity:
    I've been running Oracle just as long as I've been running both Mysql and Postgres (I know what you're saying - oh, he's one of those guys:)), and I know that the features oracle offers can exist without all of the useless bloat oracle tacks on. Mysql can replicate, instantly, to who knows how many databases. Oracle Dataguard is limited to 9. I can restore databases in seconds using postgres, oracle takes all damn day. Mainly because you have to have your ducks in a row with: Arch files, redo files, tnsnames, listener files, spfiles, pfiles, oratab, oracle home, etc. Oracle databases are extemely difficult to get running on a different system. Even exports (exp/imp - what _should be similiar to an sql dump) don't work across OSs. Oracle offers no native sql dump command, instead you have to figure out how to get TORA working. Oracle offers sqlplus, an old, broken command line client that requires unsightly scripting to even start the database.
    Oracles documentation is very similiar to their product: Disconnected. Nothing fits. Everything (kind of) works, but noone knows how to put it together, save the people who killed what must be hundreds of thousands of brain cells by doing it by trial and error. Oracle requires java, and lots of it. Oracle requires an oracle database to monitor other oracle databases. It's wise to put this on a seperate installation/box. Doesn't seem to make a lot of sense. Now I have twice as many exploitable boxes, not to mention more to backup, administer, etc. Oracle requires an insane amount of diskspace compared to other databases.
    I'm not arguing for mysql/postgres vs. oracle - I'm just trying to say that Oracle does NOT need all of the bloat it currently has. The company could stand to do a complete rewrite of it.

    Now, the security:
    Here's a perfect example of what I mean:
    http://www.red-database-security.com/advisory/publ ished_alerts.html

    The first 6 vulnerabilites are 600(!!!) days old!
    Here's a perfect example of their lack of motivation.

    http://packetstormsecurity.nl/0507-advisories/Orac le9R2-unpatched.txt

    Basically, a vulnerability was disclosed months ago, and oracle fixed 10.x in July's update, but completed ignored 9.x. To quote TFA:

    'We contacted Oracle about this issue and Oracle
    confirmed it, when we asked why there is no fix
    for 9iR2, Oracle said:

    "Our development teams neglected to do the backports.
    We are working on creating those backports now."'

    Leaving production systems unpatched until October! (Assuming oracle doesn't 'neglect' to do it again.

    In short, quit reading the marketing bullshit and wake up.