Security Researcher Says Oracle Slow to Fix Flaw

Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

A Cultural Thing?

[ackthpt]

[...] Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit.

Oracle borrowing from the Microsoft Security-Fixing Playbook?

"we'll get around to it when we get around to it and not a moment sooner"

Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

Oracle borrowing Microsoft's tactics? What next, alerting Department of Homeland Security?

Litchfield is al qaeda, you betcha!

Honestly we can't blame this tactic on Microsoft, though they have been highly visible in this regard, due to their high volume of security flaws. It's almost as bad as a bunch of automaker executives running away from a flaming car and blaming it on Ralph Nader.

that flaming car, ralph's fault, he's al-qaeda, too.

Small wonder people have no problem at all in buying imported products and services considering the culture of ass-covering in the United States. Remember when american made goods were the best in the world? Seems a distant memory now.

prepare a statement to the media which blames others for the problem, distances us from it and doesn't harm our stock value, oh and discontinue our practice of sending out new versions/models for review, tell everyone they just have to trust us that everything is fine and not very many people died horrible flaming death during testing of the software and/or new car model

Re:A Cultural Thing?

[JordanL]

Honestly we can't blame this tactic on Microsoft, though they have been highly visible in this regard, due to their high volume of security flaws. It's almost as bad as a bunch of automaker executives running away from a flaming car and blaming it on Ralph Nader.

I'm pretty sure that metaphore is bad enough to make baby Jesus cry. I have absolutely no clue how a software company taking longer than 3 months to patch code that could have tens of millions of lines is like automakers blaming a car explosion on ralph nader because he's al queda....

I understand that you want to try and make everything a political argument about how much America and/or Bush and/or Republicans and/or the intelligence community and/or Congress sucks, but seriously... a software patch?

Re:A Cultural Thing?

[PacketScan]

"Oracle borrowing from the Microsoft Security-Fixing Playbook?" I'd say they stole it.

Re:A Cultural Thing?

[ackthpt]

I understand that you want to try and make everything a political argument about how much America and/or Bush and/or Republicans and/or the intelligence community and/or Congress sucks, but seriously... a software patch?

You either misunderstand on purpose or not, but as you've suddenly skewed into the political arena at the 12th word of that sentence, I suggest you re-read the subject line and consider how you're under that blanket, too.

Re:A Cultural Thing?

[ackthpt]

"Oracle borrowing from the Microsoft Security-Fixing Playbook?" I'd say they stole it.

Again, to be fair to Microsoft, I don't think they wrote it, they've just updated it a bit.

Back in 1985 I was introduced to the concept of BS'ing on an expensive product from an american company. I truly wasn't expecting a company to utterly flee any responsibility. As it was out of my own time and money the expenses were coming to remedy problems I was acutely in tune with what was transpiring. Why oviously defective parts would be used, then not updated/replaced ASAP. At the same time I was a programmer on a DEC system and DEC took very, very good care of us (which probably has something to do with why they're out of business now, cared about customers and product rather than maximising profit.)

Re:A Cultural Thing?

[corbettw]

Remember when american made goods were the best in the world?

I'm only 34, so, no.

Re:A Cultural Thing?

[ackthpt]

Remember when american made goods were the best in the world?

I'm only 34, so, no.

Not actually that long ago for many things. I've still got a set of sockets, one of which withstood 175 ft/lbs of torque to remove a stubborn headbolt on an AMC 360 V8 (the engine was wrecked by a dropped valve and shattered piston, but in the sort of grim fascination engineering types hold for such things, we just had to take it apart to see the carnage). Two taiwanese sockets (lifetime guarantee!) split at about 90 ft/lbs.

Friends returning from being stationed in Korea were fascinated by the locals affinity for american made toasters, pans, etc, which servicemen and their families had taken with them but chose not to haul back home. Seems the koreans prefered these goods as they were far more durable than anything they could find in their markets. Ok, that was probably 10 years ago or so, but you weren't living under a mushroom at that time, were you?

Really a problem?

[PlayCleverFully]

What if they CANT fix the problem immediately.

I am a programmer and when I find bugs in my code "pre-release" I find it benefitial. However, some of the bugs I have to spend a substantial amount of time debugging to finally find a fix.

With the code as large as Oracle's code is.. it could take an extremely long time.

This is unfortunate.

Re:Really a problem?

[Todd+Knarr]

If Oracle can't fix the problem in 3 months, at least they could inform their own customers so they could take protective measures of their own. That Oracle could do inside of 3 months no matter how complex the bug is to finally fix.

Re:Really a problem?

[GrenDel+Fuego]

What if they CANT fix the problem immediately.

If they can't fix it immediately, then they should let him know WHEN they're going to fix it. David announced this because he was expecting a fix in the January update, and it was not there.

On top of this, for the past few months he's been complaining about the fact that some of the vulnerabilities he has told Oracle about have gone unpatched for 2+ years. He has already tried the "responsible disclosure" route with Oracle. They're just not being responsive.

I think that his announcement and others like it will be the only way to get Oracle to respond. I'm just worried about what this means for the next X months.

Re:Really a problem?

[Fishstick]

Especially as there is apparently a workaround

http://www.securityfocus.com/archive/1/423029

The workaround is trivial; using mod_rewrite, which is compiled into
Oracle's Apache distribution it is possible to stop the attack. The
workaround checks a user's web request for the presence of a right facing
bracket, ')'.

Add the following four lines to your http.conf file then stop and restart
the web server

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

Re:Really a problem?

[hackstraw]

If Oracle can't fix the problem in 3 months, at least they could inform their own customers so they could take protective measures of their own. That Oracle could do inside of 3 months no matter how complex the bug is to finally fix.

I admin an Oracle database, and I am not a fan (I am also NOT a DBA, its just a small part of my job for bioinformatics research). With the latest worms and whatever security announcements, it seems as a registered and paying metalink member, I should quickly and easily download the latest patches off of their site.

Well, last Friday, I gave up on finding the patches after 20 minutes of searching for them. I sent a problem report asking them what year their calendar said, because mine says 2006. That is ridiculous.

I've always been under the assumption that all databases are insecure, and should be firewalled off and remotely accessed from a trusted machine over a private network. That seems to be the best thing to do.

Re:Really a problem?

[Shoten]

With the code as large as Oracle's code is.. it could take an extremely long time.

Okay, hang on. I know Litchfield, and he's no dummy (and he's a coder as well). First of all, Oracle isn't one guy debugging the code, as you are; it's a whole huge company, with literally thousands of programmers. Their code is in a system like Rational, which helps with modeling as well (thus enabling people to find the sections of code that control various aspects of the software...so you don't have to go looking through ALL of it just to find, say, the section that checks the listener password). And Litchfield told Oracle precisely what the flaw was, the conditions that expose it, etc. So there's no way it should take them 3 months just to find the damned thing. This isn't some guy writing software on his own who hears about a bug in his code; this is an army of developers with some extremely powerful tools for code management, looking for a very well-defined and documented bug, as described to them by someone who is arguably the world's foremost expert on database security.

But let's say they did need this long just to find it? The standard rules of engagement (I'm referencing RFPolicy in particular here, as it's what I rely on, but the one developed by l0pht works too) for vulnerability disclosure make plenty of room for such an event...PROVIDED the vendor keeps in touch with the researcher who found the bug. If you just ignore him, this is what you get. David's a reasonable and generous man (he must be; he wrote the foreword to my book...that statement also serves as the disclaimer), and I'm sure he'd be willing to help in any way he can.

Re:Really a problem?

[CaptKeen]

I am a programmer and when I find bugs in my code "pre-release" I find it benefitial. However, some of the bugs I have to spend a substantial amount of time debugging to finally find a fix.

With the code as large as Oracle's code is.. it could take an extremely long time.

Yes, but they could have at least published a workaround the problem, even if they don't have the fix in place. There is a 4 line change to the Apache setup which acts as a workaround for the problem; David Litchfield posted it to Bugtraq himself in the move that got Oracle so upset with him. Here it is:

Add the following four lines to your http.conf file then stop and restart the web server

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

Who put their customers at risk!!?!

[SillySlashdotName]

Oracle sold crap software, did not fix it when told about a problem.

So tell me again, Oracle, WHO put their customers at risk?

who is to blame?

[jwegy]

What David Litchfield has done is put our customers at risk
Isn't Oracle the one who has put their customers at risk?

Who's putting customers at risk?

[Todd+Knarr]

Litchfield is putting Oracle's customers at risk? I don't think so. Oracle put their customers at risk, Litchfield merely told those customers they were at risk and in what way. He gave Oracle 3 months to either fix the problem or inform their customers, Oracle did neither, I'd say the problem's all of Oracle's making. If they'd placed their customer's security over their own PR in a reasonable timeframe, Litchfield wouldn't have had to embarrass them this way.

Another example of why "reasonable disclosure" doesn't work well.

It's the other way around..

[deep44]

We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available...

We (consumers) are always disappointed when vendors postpone a patch for a critical vulnerability to the point where a researcher must release the details of said vulnerability in order to motivate the vendor.

Huh?

[Realistic_Dragon]

He gave them more than 3 months to fix it. They didnt. He releases the information so that admins can take steps to protect themselves... ...and they call HIM the dick? Right...

Researcher point of view

[dtfinch]

We are always disappointed when software companies force us to publish details of vulnerabilities before making a fix available.

As bad as it is to publish unpatched vulnerabilities, it's worse if a company chooses to ignore security altogether. Ignoring security and suppressing vulnerability reports demands that vulnerabilities be published. People generally won't publish vulnerabilities if they see that the company it taking them seriously.

ever heard of regression testing?

[bobalu]

I mean, gee, it's not like they have to test it on a huge number of platforms or anything right? Much better to rapidly fix the bug and then break a bunch of running code, bringing large businesses down to their knees.

Yes, the bug puts their customers at risk, but detailing the exploit for everyone to see REALLY DOES HELP THE BAD GUYS. Otherwise they have to figure it out for themselves, which is quite a bit harder.

Re:ever heard of regression testing?

[morzel]

I mean, gee, it's not like they have to test it on a huge number of platforms or anything right? Much better to rapidly fix the bug and then break a bunch of running code, bringing large businesses down to their knees.

If you would have read the fine article, you would have known that flaws in this particular piece of code have been discovered over the past few years, with each patch being inadequate in actually fixing it securely. You should think that 4 years would be enough for some regression testing.

Yes, the bug puts their customers at risk, but detailing the exploit for everyone to see REALLY DOES HELP THE BAD GUYS. Otherwise they have to figure it out for themselves, which is quite a bit harder.

The author of the report detailing the exploit also includes a workaround, which enables administrators to have some kind of protection. The bad guys as you call them were already all over this due to the history of security issues in that piece of code. In this case, I see more value in letting the customers know that their machines are at risk than telling something that the bad guys most probably already knew.

It's not a fundamental bug

While the posing doesn't explain the vulnerability in detail, you can see from the fix that it's inadequate input validation, which is easy to add. There's an access control mechanism that's supposed to prevent access to certain features from the web interface, and it's not doing its job.

While sometimes there are fundamental design problems, this doesn't look like such a case.

(And in such a case, you should explain to the problem reporter why this is an exceptionally difficult bug and ask for an exceptionally long time before disclosure.)

Re:Blame it on the messenger, again

[dmeranda]

What a lame analogy. Trying to compare those two is practially meaningless, unless of course you have a particular extremist political agenda and are looking for any reason at all to try to convince yourself that you must be right.

Since you brought it up though, lets analyze the analogy. And only in terms of "security", which is what this /. thread is all about.

Intercepting communications from foreign people believed to be terrorists or connected to them:

  * This activity's purpose is to prevent future "security breaches" (e.g., learning of a terrorist plot).
  * Without this activity, citizens are certainly less safe (meaning this activity has a positive security benifit)
  * The activity itself is not unsafe nor pose a "security hole" (regardless of your opinions on other non-security effects like liberty)
  * It's effectiveness is in large part subject to it remaining covert
  * Publically reveiling the activity makes it non-covert, and therefore reduces its effectiveness.
  * Result: the "risk" to our safety was increased (again ignoring any other effects for this analogy). There is no obvious way to "undo" this increase in risk (e.g., no forthcoming "patch" which will make it covert once again)
  * If the public exposure had not happened: risk would have remained unchanged (which already was lower than if this activity was not even occuring)

Exposing Oracle bug publically:

  * The "activity" in this case was a security flaw in deployed software.
  * Thus the "activity" was unsafe.
  * The risk it poses is was dependent upon it remaining undiscovered and without an implemented exploit, or until fixed.
  * Publically reveiling it makes it undiscovered.
  * Result: the risk is temporarily increased--its a race to whether an exploit or a patch is developed first. The risk will actually be decreased when a patch is available and installed.
  * If bug was not publically reveiled: flaw remains in software (proven for at least 3 months); probability of being discovered by "black hats" increases with time, thereby gradually increasing risk.

Oh, and one other big difference: in the former there were other ways to attempt change without full public disclosure (congressional oversight, etc.) that were not used. In the later other non-public methods of affecting change were attempted first.

So yes, both acts of publicity result in at least temporary increased risk. But the analogy is otherwise completely broken.

Sorry, but please save your political arguments to a political topic.