Slashdot Mirror
Security Researcher Says Oracle Slow to Fix Flaw
Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"
Oracle borrowing from the Microsoft Security-Fixing Playbook?
"we'll get around to it when we get around to it and not a moment sooner"
Oracle borrowing Microsoft's tactics? What next, alerting Department of Homeland Security?Litchfield is al qaeda, you betcha!
Honestly we can't blame this tactic on Microsoft, though they have been highly visible in this regard, due to their high volume of security flaws. It's almost as bad as a bunch of automaker executives running away from a flaming car and blaming it on Ralph Nader.
that flaming car, ralph's fault, he's al-qaeda, too.
Small wonder people have no problem at all in buying imported products and services considering the culture of ass-covering in the United States. Remember when american made goods were the best in the world? Seems a distant memory now.
prepare a statement to the media which blames others for the problem, distances us from it and doesn't harm our stock value, oh and discontinue our practice of sending out new versions/models for review, tell everyone they just have to trust us that everything is fine and not very many people died horrible flaming death during testing of the software and/or new car model
A feeling of having made the same mistake before: Deja Foobar
What if they CANT fix the problem immediately.
I am a programmer and when I find bugs in my code "pre-release" I find it benefitial. However, some of the bugs I have to spend a substantial amount of time debugging to finally find a fix.
With the code as large as Oracle's code is.. it could take an extremely long time.
This is unfortunate.
Windows? I haven't used that since 1999. Fix the Slashdot Problems
Oracle sold crap software, did not fix it when told about a problem.
So tell me again, Oracle, WHO put their customers at risk?
Acts of massive stupidity are almost never covered by warranty. --me.
What David Litchfield has done is put our customers at risk
Isn't Oracle the one who has put their customers at risk?
I'm sure if Oracle was a simple company with a simple app, then it would be a piece of cake to patch any issues... but sometimes it takes a while to debug and release a fix
Litchfield is putting Oracle's customers at risk? I don't think so. Oracle put their customers at risk, Litchfield merely told those customers they were at risk and in what way. He gave Oracle 3 months to either fix the problem or inform their customers, Oracle did neither, I'd say the problem's all of Oracle's making. If they'd placed their customer's security over their own PR in a reasonable timeframe, Litchfield wouldn't have had to embarrass them this way.
Another example of why "reasonable disclosure" doesn't work well.
No, what Oracle did is endanger their customers! What he did was try to help them save their ass.
He gave them more than 3 months to fix it. They didnt. He releases the information so that admins can take steps to protect themselves... ...and they call HIM the dick? Right...
Beep beep.
We are always disappointed when software companies force us to publish details of vulnerabilities before making a fix available.
As bad as it is to publish unpatched vulnerabilities, it's worse if a company chooses to ignore security altogether. Ignoring security and suppressing vulnerability reports demands that vulnerabilities be published. People generally won't publish vulnerabilities if they see that the company it taking them seriously.
EULA. It's highly likely that they specifically disclaim any responsibility for anything related to the functionality or security of their product. It is the EULA which allows the maker of a flawed product to point the evil eye towards anyone who would have the audacity to point out the flaws.
EULAs must die.
fast as fast can be. you'll never catch me.
Duncan Harris, senior director of security assurance for Oracle, said in an interview with SecurityFocus.
"What David Litchfield has done is put our customers at risk."
This is the same argument that the Bush Administration used when the NYTimes published their story about how Bush & Co. are conducting domestic spying operations in the US.
Bush & Co. said this story should not have been published because it makes us less safe.
So instead of acknowledging your shortcomings or wrongdoing, you blame the messenger. This is not very fair in my opinion.
Why doesn't Oracle just acknowledge the problem and then fix it?
He who knows best knows how little he knows. - Thomas Jefferson
What Oracle is saying is analogous to having an overpass bridge that has cracks in it and the DOT getting upset that some citizen told the local TV station about the crack.
The bridge needs to be fixed or lives might be lost, and everyone has a right to know that.
In the case of Oracle lives probably won't be lost but there is the potential for lots of businesses to loose large sums of money when an Oracle database gets cracked.
If a vulnerable product cannot be patched in a reasonable timeframe ..
RECALL THE PRODUCT!
That's what car makers do.
And yes, software is critical.
Fine, then what should be a standard legal definition for time limit for liability if they don't fix the bug in a reasonable period of time? If it's severe, they get three months? Other companies have to do product recalls by law if their products fail in a way that is damaging to life or property, so at what point do they have to start making amends to their customers for failure? Kinda funny considering the bravado they had in the past. I guess they got called out and they were all bluster.
The simplest answer lies where Oracle needs to provide this sort of information to Oracle DBA's and its users on a "need-to-know" basis whereby you log on to their website and become a paying-member for the latest news, security updates, and services (consenting to a non-disclosure agreement). Oracle can easily get away with this as opposed to Microsoft in the OS market because most people who own Oracle are highly trained and need to know this mission critical information.
I write sig's like I know what I'm talking about.
I mean, gee, it's not like they have to test it on a huge number of platforms or anything right? Much better to rapidly fix the bug and then break a bunch of running code, bringing large businesses down to their knees.
Yes, the bug puts their customers at risk, but detailing the exploit for everyone to see REALLY DOES HELP THE BAD GUYS. Otherwise they have to figure it out for themselves, which is quite a bit harder.
The revolution will NOT be televised.
This example highlights how institutions (gov't corps) long ago superceded the individual in terms of credibility on an unconcious level. Oracle today, Cisco a few months ago. Years ago there was a guy doing research on censorware. I recall that guy maintains he's a "victim" of the DMCA. You need more proof? All the moral outrage about this guy on /. and no action. Nothing.
Just one lesson to learn here is there needs to be some kind of standard procedure for notifying and working with companies with flawed software.
The idea being the individual conforms to a SOP and if the corporation hasn't done their part at some point, then the flaw can be responsibly published. It would give more strength and accountability to individuals. Much in the way a medical doctors use SOP's to indemnify themselves in malpractice situations.
Is there anything like it out there for security research?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
While the posing doesn't explain the vulnerability in detail, you can see from the fix that it's inadequate input validation, which is easy to add. There's an access control mechanism that's supposed to prevent access to certain features from the web interface, and it's not doing its job.
While sometimes there are fundamental design problems, this doesn't look like such a case.
(And in such a case, you should explain to the problem reporter why this is an exceptionally difficult bug and ask for an exceptionally long time before disclosure.)
It would seem to me that what put Oracle's customers at risk was the security flaw itself, not someone's disclosure of it.
Have fun: Join D.N.A. (National Dyslexics Association)
http://news.com.com/Gartner+Oracle+no+longer+a+bas tion+of+security/2100-7355_3-6030733.html
...for false advertising. Oracle routinely advertises their product as "unbreakable".
Sounds open & shut to me!
Indeed.
Breaking news... pot calls kettle black. Film at 11.
What's product recalls for? Better than having a potentially massive attack vector wide open for months or years.
What David Litchfield has done is put our customers at risk
After all, it *is* best practice to kill the messenger.
I think you underestimate just how much I just dont care.
:)
In these security-related articles, the question of independent researchers releasing the details of a flaw publicly before the company has released a patch for it always comes up, and the industry always blames the security researchers for doing this. I think this is based on a very flawed premise: The assumption that the person who just disclosed the bug was the first to find it, and that malicious users can't exploit a bug until it's been publicly exposed. If a vulnerability for Foo OS 1.5 to 1.8 is discovered in 2005, and Foo OS 1.5 was released in 2002, then that bug has been around for three years, and at any point in that time malicious hackers could have discovered the bug and started exploiting it. The clock doesn't begin when the benevolent independent research firm finds the bug. It would be paranoia to assume that every published security flaw has been actively exploited since it existed, but it is wishful thinking to assume what the industry seems to now.
There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS
and the Oracle HTTP Server, that allows attackers to bypass the
PLSQLExclusion list and gain access to "excluded" packages and procedures.
This can be exploited by an attacker to gain full DBA control of the backend
database server through the web server.
This flaw was reported to Oracle on the 26th of October 2005. On November
the 7th NGS alerted NISCC (http://www.niscc.gov.uk/ to the problem. It was
hoped that due to the severity of the problem that Oracle would release a
fix or a workaround for this in the January 2006 Critical Patch Update. They
failed to do so.
There is even a simple workaround:
I've already applied this on my OAS install on by development box and I'm ready to spend the next couple hours testing before recommending that we do this on our production box.
I don't think leaving their customers vulnerable for another 3 months (or
perhaps even longer) until the next CPU is reasonable especially when this
bug is so easy to fix and easy to workaround. Again, I urge all Oracle
customers to get on the 'phone to Oracle and demand the respect you paid
for
I couldn't agree more. Can't fathom why they couldn't have notified customers (even if they couldn't have fixed mod_plsql through the CPU), or why they are going after the guy when he told them about this 3 months ago and waited for the January update before getting impatient and going public.
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
that a machine is plugged into a wall will account for a security breach
let's get worked up digg.com
Turn off, tune out, unplug.
Why doesn't Oracle just acknowledge the problem and then fix it?
Oracle's DB products are unbelievably complex pieces of code which support tens of thousands of dependencies from other pieces of code, many of which weren't even created by Oracle. It's not as simple as, "Hey. Let's throw this patch out on our website and tell everyone to install it."
This dude shows up with some kind of exploit and then has the gall to dictate to Oracle what their bugfix release schedule should be?!? That's a real narrow view of the situation. Not only are they having to design a fix for the exploit in the current version, but they have to ensure it doesn't conflict with their future versions currently in development. And then they have to do regression testing to ensure it doesn't break dependencies. And then they gotta give it out to their customers who will also be running the same kind of regression tests before they deploy the patch to their live servers.
As an Oracle customer, I'd prefer that they release cumulative fixes on an established schedule rather than ring a Defcon 1 alarm whenever someone finds a bug that may not even impact my installation. Releasing patches as one-off fixes causes more headache for the customer in repetitive testing. As it is, Oracle publishes bugfixes quarterly, and they probably didn't have time to fit this fix into their testing matrix, etc. by the time they were notified of the problem. They also probably evaluated the bug and determined it didn't pose that much of a risk.
I'm not saying Oracle customers shouldn't demand quick turnarounds on bugfixes, but this guy kind of comes across as a control-freak who wanted to make a big corporation jump through a hoop and when they didn't, he went crybabying to securityfocus.
Seth
$5 / month hosted VPS on linux = awesome!
When I was at university, there was a program publishing confidential information to /tmp with read all access. I alerted the system administrators and officials, and they said thanks, they'd fix it.
A few months later, I noticed the same stuff getting generated, so I complained, and was told that it was fixed.
So I posted the information in an adminstrators newsgroup.
Suffices to say, I was BAD for publishing confidential information. I got my privs removed, threatened with expulsion, but hey, the problem was fixed.
So how does this apply to oracle in my experience? "Bad" researcher for not working with the company to fix the problem and rushing to prove a point. "Bad" company for not addressing the issue properly when they were first made aware of it.
But its kind of strange these days how publishing information on how to break systems, or providing shoot from the hip fixes (meta files anyone) makes instant Heroes, when in the past this kind of egotistical self gratifying behavior typically generated a reprimand.
I admit, in my case, my thumb was on my nose when I did my public naughtiness. Least I grew up...
/\/\icro/\/\uncher
Indeed! How dare anyone ever tell the emperor his butt is hanging out in the breeze... and his little pee-pee too. Whoever discloses such things, OFF WITH THEIR HEADS!
...Oracle should contact him immediately, and determine any schedule he may have on revealing further security flaws.
I assume that Litchfield has additional bombshell revelations in store, and it is obvious that he has run out of patience.
Oracle should be silent on criticism of Litchfield, and they should quickly triage which problems they intend to solve, and when.
p.s. Oracle should also stop distributing Apache. Their version has more holes than swiss cheese.
We believe in it.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
this does seem to be a bit exagerrated.
how does the compromised IAS server get a database session w/DBA? if IAS is connected to database as user w/DBA then sure but that's a pretty stupid configuration. is it possible to get a session as a user w/DBA w/o one of the following being true:
1. the IAS server was already configured to connect to database as user w/DBA (dumb)
2. IAS is running on same server/user as DB instance (uber-dumb)
3. sys/system (/apps for ERP) passwords not changed from defaults (no words for this)
if not it's still bad but somewhat exaggerated. if so then gentlemen, start your flamethrowers!
full disclosure: my spouse is a sales consultant at Oracle but trust me, I don't hesitate to criticize them when warranted.
...the ones that all say the same thing about Oracle putting their customer at risk and people complaining about all of the redundant comments. Jeez!!! What, did the Borg just invade /. or something?!
--
I am not an actor but I play one on TV
blah blah blah
But, hey, I'll let you all judge. Here's his posting to Bugtraq:
--
Sorry, but please save your political arguments to a political topic
What I was trying to say was that people can criticize something without having fear or being intimidated from speaking up. I have no political agenda here except free thought and speech.
He who knows best knows how little he knows. - Thomas Jefferson
am I putting citizens at risk too?
According to Oracle's way of thinking I am. So, I should NOT warn those in danger and just secretly call the Fire Department?
How lame does Oracle think people are... well, just as lame as Microsoft thinks they are. And they must be. Look how many put up with hole after hole after hole, and even defend MS on the blogs for not fixing holes.
People get EXACTLY what they allow, or worse.
Running with Linux for over 20 years!
Plain any simple, any Database directly accessable to the open world with a nice public IP or no filtering is clearly run by idiots. Agreed a slow response is a slow response, but it's like a local exploit on a low-volume internal machine... the response is 'when you get around to it'.
-M
And for once, the more 'traditional' analysts (Gartner, in this case) actually agree with the security experts : " ... the range and seriousness of the vulnerabilities patched in this update cause us great concern. The database products alone include 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access
See http://www.gartner.com/DisplayDocument?doc_cd=1374 77 for details.
Ah, right, Oracle. This is how your customers read your spin, though: "We [customers] are always disappointed when [Oracle] feel[s] the need to [place blame] before a fix is available... What [Oracle] has done is [ensure we are not] at risk[ - only if third parties shut up, heed its whining, and play nicely!]" Oracle makes the point itself: its customers are at risk - period. ...too bad Oracle's hot air hasn't lifted a fix off the ground yet!