Security Researcher Says Oracle Slow to Fix Flaw

Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

Researcher point of view

[dtfinch]

We are always disappointed when software companies force us to publish details of vulnerabilities before making a fix available.

As bad as it is to publish unpatched vulnerabilities, it's worse if a company chooses to ignore security altogether. Ignoring security and suppressing vulnerability reports demands that vulnerabilities be published. People generally won't publish vulnerabilities if they see that the company it taking them seriously.

Re:Recall product

>And yes, software is critical.

When customers such as government agencies and hospitols rely on your product to store their data, it is pretty damned critical. If you were a patient in a hospitol, the database could be life or death to you.

Re:A Cultural Thing?

[ackthpt]

I understand that you want to try and make everything a political argument about how much America and/or Bush and/or Republicans and/or the intelligence community and/or Congress sucks, but seriously... a software patch?

You either misunderstand on purpose or not, but as you've suddenly skewed into the political arena at the 12th word of that sentence, I suggest you re-read the subject line and consider how you're under that blanket, too.

Re:A Cultural Thing?

[ackthpt]

"Oracle borrowing from the Microsoft Security-Fixing Playbook?" I'd say they stole it.

Again, to be fair to Microsoft, I don't think they wrote it, they've just updated it a bit.

Back in 1985 I was introduced to the concept of BS'ing on an expensive product from an american company. I truly wasn't expecting a company to utterly flee any responsibility. As it was out of my own time and money the expenses were coming to remedy problems I was acutely in tune with what was transpiring. Why oviously defective parts would be used, then not updated/replaced ASAP. At the same time I was a programmer on a DEC system and DEC took very, very good care of us (which probably has something to do with why they're out of business now, cared about customers and product rather than maximising profit.)

Re:Really a problem?

[Fishstick]

Especially as there is apparently a workaround

http://www.securityfocus.com/archive/1/423029

The workaround is trivial; using mod_rewrite, which is compiled into
Oracle's Apache distribution it is possible to stop the attack. The
workaround checks a user's web request for the presence of a right facing
bracket, ')'.

Add the following four lines to your http.conf file then stop and restart
the web server

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

Re:Really a problem?

[Shoten]

With the code as large as Oracle's code is.. it could take an extremely long time.

Okay, hang on. I know Litchfield, and he's no dummy (and he's a coder as well). First of all, Oracle isn't one guy debugging the code, as you are; it's a whole huge company, with literally thousands of programmers. Their code is in a system like Rational, which helps with modeling as well (thus enabling people to find the sections of code that control various aspects of the software...so you don't have to go looking through ALL of it just to find, say, the section that checks the listener password). And Litchfield told Oracle precisely what the flaw was, the conditions that expose it, etc. So there's no way it should take them 3 months just to find the damned thing. This isn't some guy writing software on his own who hears about a bug in his code; this is an army of developers with some extremely powerful tools for code management, looking for a very well-defined and documented bug, as described to them by someone who is arguably the world's foremost expert on database security.

But let's say they did need this long just to find it? The standard rules of engagement (I'm referencing RFPolicy in particular here, as it's what I rely on, but the one developed by l0pht works too) for vulnerability disclosure make plenty of room for such an event...PROVIDED the vendor keeps in touch with the researcher who found the bug. If you just ignore him, this is what you get. David's a reasonable and generous man (he must be; he wrote the foreword to my book...that statement also serves as the disclaimer), and I'm sure he'd be willing to help in any way he can.

Re:Really a problem?

[CaptKeen]

I am a programmer and when I find bugs in my code "pre-release" I find it benefitial. However, some of the bugs I have to spend a substantial amount of time debugging to finally find a fix.

With the code as large as Oracle's code is.. it could take an extremely long time.

Yes, but they could have at least published a workaround the problem, even if they don't have the fix in place. There is a 4 line change to the Apache setup which acts as a workaround for the problem; David Litchfield posted it to Bugtraq himself in the move that got Oracle so upset with him. Here it is:

Add the following four lines to your http.conf file then stop and restart the web server

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack