The Week of Oracle Database Bugs

os2man writes "After the Month of Browser Bugs and the Month of Kernel Bugs, December will have a Week of Oracle Database Bugs. This project will release, every day for a week, a new 0-day bug specific to Oracle in order to show the current status of its [in]security. They are currently asking for new bugs, in order to extend the publication of new exploits a few more days."

Great

[Spritzer]

Maybe they should look at security issues with Oracle's Discoverer client as well. It's pretty sad when having "@" in your password will compromise every character that follows within your password. For example, if ODB password were Sl@shd0t! and the database to connect to were BOB, at the next login the Connect field would be filled with shd0t!@BOB. Not a huge issue, but certainly a risk if multiple people with varying permissions/responsibilities in Oracle have access to a machine with Discoverer.

and

huzzah

um yeah

[stoolpigeon]

without even commenting on the quality of oracle's rdbms, this statement:
Why not the Month of Oracle Database Bugs?
We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.
 
doesn't even make sense. They have enough to do a whole year but ask for people to send in more to extend it to a second week? Because they don't want to compromise their entire zero day horde? Sorry but I just can't take these people too seriously.

Re:um yeah

[Raistlin77]

Not to mention the slew of grammar, punctuation, and spelling errors.

Re:um yeah

[ajs]

It does make sense, but it's just not very smart.

This is a group of (or singular) kiddies who want to make Oracle look bad. That's fine, and Oracle is a big company that I'm sure can take care of itself (C&D paperwork is probably burning out toner cartriges by the gross at Oracle HQ as we speak). My concern is that folks that are good at security testing, but too young to know how to direct their efforts constructively are going to destroy their fledgling careers before they get started. Many such bright kids these days assume that they'll make a name for themselves, and then the consulting bucks will roll in. Problem is that the wrong kind of press can lead to SOME work, but far less than you would have gotten by building a reputation in the industry through the quality of your work and references.

As with security, in the job/consulting world social engineering is often a better approach than trying to pick the lock on the front-door.

Re:um yeah

[djbckr]

I was going to mod this up, but I thought I'd post instead. Oracle database work is my livelyhood. Oracle makes no qualms about the number of bugs they have. Many of them are posted for all to see on their MetaLink support site. Many of them are not public for security reasons - and well they should be.

I've found several Oracle bugs in my dealings with the software. I create a reproduceable test-case and send it to them. They always respond with 1) this is a known bug, and it's bug #nnn; or 2) bug reproduced in lab on version n.n.n - filed as bug #nnn

If I found a bug related to security, I am *certain* they would do the same, and not publish it. It would be foolish to do so. Why oh why do people like this need to publish security related bugs so everyone can get comprimised? It's simply irresponsible.

Oracle software is a *huge* moving target, and to fix a bug in something used by so many is a long, involved process. Break something critical in a patch and watch all hell break loose. Let the bug fixers do their jobs. It takes time, and exposing flaws like this does nobody any good.

Re:um yeah

[kaiser423]

uh yea.

How much you care to bet that this hacker has a lot of Oracle stock shorted? Release the big 0-day exploits first, see the stock drop like a rock and cover on the short. Then pick it up in a little as it slowly rebounds and make more.

One week, two weeks, the timeframe doesn't matter. It just has to be enough to make an event out of it.

Re:um yeah

[Psychotext]

I think realistically a lot of this can be traced back to the "Unbreakable" marketing campaign. They set themselves up for a major fall. That said, Oracle takes far too long to patch vulnerabilities and worrying about "breaking something critical" is not a good excuse.

Re:um yeah

[stoolpigeon]

you really think this will have an impact on the stock price? i'm thinking the people with the power to influence that wont even be aware of this. it's an interesting idea, but i doubt it would work. have to watch it that week and see what happens.

Re:um yeah

[djbckr]

"worrying about "breaking something critical" is not a good excuse"

Tell me, if your data was tied up in an [Oracle] database (and really, any database could be replaced between the [] for this question) and that data was key to your business processes - now we're talking about multi-billion $$$ corporations whose data is their livelyhood - and Oracle were to release a patch and all of a sudden their data started corrupting or simply stopped working. You don't call that a good excuse???

Sorry, that doesn't fly with me - I would call *that* ridiculous.

Re:um yeah

[Lehk228]

if they really wanted to make money shorting stocks, the right way to do it would be to release some script kiddie tools that would allow any jackass to bring down or otherwise compromise oracle based services.

a scramble to fix bugs is costly, every major customer getting wtfpwned in a single month is MUCH more costly.

Re:um yeah

[Psychotext]

I'm not saying that they should break your data, don't be asinine. I'm saying that it's perfectly possible to patch in a timely manner without breaking existing functionality. Especially with the resources a company like Oracle can throw at a problem.

I used work as an Oracle dba for a blue chip company and I find their service levels ludicrous.

Re:um yeah

[mrsbrisby]

Many of them are not public for security reasons - and well they should be.

Sir, I have a car to sell you. There have been a number of customers killed in it, but I will not tell you why, until I get around to fixing the problem.

If I found a bug related to security, I am *certain* they would do the same, and not publish it. It would be foolish to do so. Why oh why do people like this need to publish security related bugs so everyone can get comprimised? It's simply irresponsible.

No, it's not. If I have an Oracle database with a security vulnerability in it, I might be immune- my firewall might protect me, or I might not have users accessing it in a way that makes me vulnerable.

If I am vulnerable, exactly what can the attacker accomplish? I might want to shut down my database. If it happens too frequently, I may want a refund.

Whatever I do, it's my decision, and not Oracles. The bugs are their because of their sloppiness. If I know about them, then I can protect myself. If I don't know about them, then I cannot protect myself. It's as simple as that.

So do understand sir, you are asking me to trust them. Not just a little bit either, but potentially with the livelyhood of my company. Where exactly do you think these vulnerabilities come from, and who exactly do you think "discovers" them, and most importantly, why is it you think keeping information about these vulnerabilities secret from me (the customer) is a good thing?

Tell me exactly sir, how is my request "irresponsible"?

Re:um yeah

Bullshit. I also admin many oracle dbs and experience the same things you do. (Finding, reporting bugs, etc.)

Where we differ, however, is I actually give a flying fuck about the quality of their software. Unlike many other apps I support, Oracle is likely to make me cringe the most and certainly plays a non-trivial role in some sleepless nights. (Whether it's because I'm worried, or because I'm patching)

You see, oracle has been doing the same thing for many years. Rapidly developing shitty software based on some code some guy wrote 28 years ago. With the spider web of kludges, patches and patches for patches, we're in for a very bumpy ride for some time. We can't expect them to change because as far as they're concerned, they're doing just fine.

I am opposed to that. I am for finding as many 0 days as is possible for this software so other vendors who truly write decent software will be considered. I am for oracle taking a long, deep look at their code and realizing that this stuff is better off being /dev/null'd and starting fresh with a rewrite (including backwards compatibility, where applicable). Only this time, they'll not toss security out the window, and they'll take into account some of the other lessons other software companies have learned over the last 28 years.

Currently, oracle is pouring most of their money into: A. Support for their userbase. B. Developing more apps that can plug leaking holes on their sinking ship. C. Piling features on top of existing oracle base.

I bet hardly any software vendor in the world pours as much people power into tech support as oracle does. If they did a rewrite with some decent coders, they might realize that the money they used to spend on techsupport is now just gravy.

Re:um yeah

[VENONA]

"...exposing flaws like this does nobody any good."

Well, that's one side of the full disclosure debate. The other side, of course, is that some vendors once had even worse reputations for fixing security vulnerabilities than they currently do. Full disclosure evolved in part as a means of holding their feet to the fire. As far as I can tell, the jury is still out on exactly how effective full disclosure is. It's certain that vulnerabilities that are being actively exploited can still remain unpatched for an obscene length of time.

I think full disclosure can be done in what I regard as a responsible manner. You might want to have a look at Rain Forest Puppy's policy at http://www.wiretrip.net/rfp/policy.html as a starting point. To me, acting in a professional manner means exercising some judgment. You can't demand the impossible, but neither you can allow a vendor to stonewall indefinitely. Much will depend upon severity, whether you know the vulnerability is currently being exploited, whether you have a sense that the issue is being actively worked, etc.

Personally, I draw the line at publicly releasing exploits. I can see how some people might do it, if they've been dealing with some of the very obvious stonewalling tactics that I've encountered. As in, "OK, after three months you still claim it's not an issue? I just released malware 1.0. I'm sure it won't cause you any PR or support problems. Have a nice day." To me, that's at best allowing frustration to overcome professionalism (defined as acting in the best interests of your profession). At worst, professionalism was never a factor, and it's done for notoriety or some other steaming pile of stupid.

But responsible full disclosure most definitely does have its place. If you've never had a problem with Oracle, congratulations. But other people have. And I know of a plethora of problems with other vendors.

Re:um yeah

They can help the world by sending copies of their work anonymously to the major media globally.

This would help them to tell the world.

"Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers" - http://seclists.org/bugtraq/2005/Oct/0056.html

Cisco IOS is just as crappy, but Cisco did understand that problem and developed the newer IOS XR operating system for their routers. Same with Microsoft. They know they have a problem, but they do try to reduce the problems when they make the new products.

Both Cisco and Microsoft was total crap for a lot of years with out caring, but the market changed and they saw that. Oracle? They still do not care

Will it be

like the Slashdot Bug

0-day

[Schraegstrichpunkt]

That word. I do not think it means what you think it means.

Re:0-day

[sharkey]

It means "Unbreakable", right?

Bug vs. Exploit...

[msimm]

They are talking about two different things. Its one thing to say: hey, I'm a DBA and Oracle has a lot of bugs. Its another to say: hey hackers! There are a whole bunch of unpatched 0day exploits.

Extending the week to two would be fine if it helps motivate Oracle to patch their software *before* someone makes these more trivially exploitable.

Re:Bug vs. Exploit...

[stoolpigeon]

but why do they need help to extend it a week if they have enough to last a year?

Oracle is unbreakable

[duffbeer703]

Mess with Oracle, and this guy will mess with you.

Re:Oracle is unbreakable

Oh no, the "scary Oracle guy" (as he's known around here)... That guy is seriously creepy looking in a serial killer kind of way...

will they actually be limited to rdbms?

not defending Oracle's security record but most of the bugs I've seen in the past couple of years are in tangental products (OAS, ERP, Discoverer, etc.) and require pretty stupid configurations/practices to be exploitable. that's not to say they aren't legitimate and can/should be ignored, just that I haven't seen too many database ones that cause me to lose sleep.

(again) that said, Oracle certainly needs to clean up their act in this area...

Next

I presume that will be followed by 2007, "The Year of Windows Vista Bugs"?

Re:Next

[Bacon+Bits]

I thought this was already "The Decade of Microsoft Windows Bugs"?

Re:Next

Ha Ha - you ae so funny. Dick.

What OS you use pussy boy?

Re:Next

I use PUNCH it up your ARSE HOLE CUNT FACE

Re:Next

thats too funny cause that is the same OS i used on your mommy. later cunt.

AIS product

How to endanger your environment, install AIS. The dependencies, fixes, patches, work-arounds and wailing and gnashing of teeth will entertain you for years.

Fishing expedition?

[nietsch]

They certainly are not very convincing, or at least me too was not impressed. It might make a good fishing expedition though; declare a week of the X-bugs and hope those X-bugs come flowing in. Maybe someone should send in a lookalike exploit to find their intentions out.

No sure what is being achieved here

[Utopia]

by exposing 0-day bugs other than helping bad hackers but I would love to see someone poke holes in MS SQL server.

Its been 1 year with no known exploits in SQL Server 2005 (zero in the product lifetime)
http://blogs.technet.com/security/archive/2006/11/ 07/sql-server-2005-1-year-and-not-yet-counting.asp x

Re:No sure what is being achieved here

[KermodeBear]

The deer's greatest friend is the wolf.

No kidding?!

[firespade]

Bugs specific to security? There are still several exploits concerning the metadata itself. And on top of that, Secunia has multiple cases of vulnerabilities concerning all versions of the Oracle Database. All the way from Database Restriction Bypassing to boundary errors leading to buffer overflows by user initiated malicious attacks. Try harder Oracle.. try harder. Anthony

Oracle Fanclub

[PsyQo]

Also, be sure to check out the Oracle Fanclub

why don't

[rs232]

Why don't Larry ellison imdemnify people against lost revenue because of bugs in Oracle?

Re:why don't

[mrsbrisby]

Why don't Larry ellison imdemnify people against lost revenue because of bugs in Oracle?

To get to the other side?

Re:why don't

[Rosonowski]

Because with a couple hundred corporations losing millions an hour, it would only take one big bug to bankrupt them?

Unbreakable?

Unbreakable?

anyone?

I feel like we are caught in a .... timeloop

[msimm]

They say A) they have enough bugs (erherm, not exploits) to last a year B) they also say (I won't even speculate on the quality of the comment) "we don't want to give away all our 0days".

So whatever. They had a weeks worth of exploits and they'd like some other people to pony up so they can make it two while holding on to some super-secret exploits. 7337!

Anyway, slamming on Oracle seems a little silly. Its software, there will be problems.

Re:I feel like we are caught in a .... timeloop

[PinkPanther]

slamming on Oracle seems a little silly. Its software, there will be problems.

I agree with the first sentence, I completely disagree with the second.

Focusing just on one vendor does seem sort of school-yard-teasing childish. It would be nice if they had a better description than "they are the #1 star."

But the fact that software has problems does not mean that those issues shouldn't be addressed. And if public embarrassment is required to force a vendor's hand, so be it (though I'm not saying that it is the case with this vendor...but I wouldn't be overly surprised...).

Re:I feel like we are caught in a .... timeloop

[Pootie+Tang]

When companies hold themselves out as "unbreakable" or make comments like:

  For more than 27 years, Oracle has built a reputation for delivering many of the industry's most secure solutions (http://www.oracle.com/security/)

they make themselves a target.

I agree, software has bugs. But when a marketing department tries to imply company X is immune then if somebody going to get targeted, might as well be company X in my book.

That Apple ad where "PC" is sick and "Mac" is all touching PC's snotrag pissed me off. I realize Apple has a pretty good security record (way better than Oracle), but don't brag about it.

Re:I feel like we are caught in a .... timeloop

[McFadden]

I realize Apple has a pretty good security record (way better than Oracle), but don't brag about it.

I sometimes wonder whether Apple have got all 'look at us, aren't we great!' because they still to an extent can't get over the fact that they have a reasonably robust OS. I think many of us suffered for many years (particularly through the MacOS 7-9 period) with an OS which would happily destroy itself without the need for any exploits or viruses. A serious day's work work in Photoshop would be enough to cause at least a handful of crashes/restarts. I still carry that nervous feeling and save my work with alarming regularity, even though I know I'm less likely to lose the entire mornings output than I used to be.

Re:I feel like we are caught in a .... timeloop

[dcam]

Oracle has a very poor record when it comes to responding to bugs (and I mean security issues). Serious bugs have sat unpatched for over a year in the past. They also have had an antagonistic relationship with security researchers. There have been slashdot articles about this before.

I'd go so far as to say that Oracle is worse than Microsoft when it comes to responding to vulns.

Re:I feel like we are caught in a .... timeloop

[msimm]

Or more in the lime-light then their counterparts. We use Oracle at our shop, upgrades certainly aren't as fast, but then enterprise database systems are frequently behind firewalls and not always something they want to tinker around with.

Re:I feel like we are caught in a .... timeloop

[iamacat]

Do you really expect companies not to advertise their strong features that are ahead of competition? Do you think it's even good for users? If someone had bad experience with PC security, at least these ads make them aware of an alternative.

Couldn't they have done this a year ago?

[emil]

The final CPU for the 8.1.7.4 database release comes out in January. It's highly unlikely that anything revealed in this effort will be fixed for 8.1.7.4.

That's an important release... it's the last one (that's supported) that will talk to Oracle 7 or early v8 databases (as a client). My company has thousands of win32 clients rolled out, and a fair number of servers supporting some critical apps (think Peoplesoft).

8.1.7.4 was a great release. Small, not a lot of cruft. I wish it (and we) weren't hanging in the breeze. DB2 customers are lucky for their long support.

Discovered in our DB class

[Tawnos]

Not necessarily a security bug, but it can be annoying. This comes from the project description, as a warning when trying to do natural joins for the project.
This query:

        select ordid, lineno, orderdate
                  , descrip "Description"
                  , total
        from ord natural join item natural join product

is evaluated incorrectly in Oracle 10g (rel. 10.2.0.1).

Compare its output with the correct results generated by this query:

          select ordid, lineno, orderdate
                    , descrip "Description"
                    , total
          from item natural join product natural join ord

or this:

        select ordid, lineno, orderdate
                  , descrip "Description"
                  , total
        from ord natural join (item natural join product)

or this:

        select ordid, lineno, orderdate
                  , prodid
                  , descrip "Description"
                  , total
        from ord natural join item natural join product

This solution:

        select ordid, lineno, orderdate
                  , descrip "Description"
                  , total
        from (ord natural join item) natural join product

does not work either. The optimizer insists on doing a cartesian product between ORD and PRODUCT.

This is a new bug. It does not exist in Oracle 9i, which evaluates all queries correctly.

Natural joins broken in Oracle 10g

[indil]

I'm taking a database class right now and a fellow student discovered a bug with the way Oracle 10g does natural joins. My professor says this bug wasn't in Oracle 9. Way to go regression testing!

Re:Natural joins broken in Oracle 10g

[eric2hill]

Can you post the bug here, or email it to me? I'd be interested in seeing it, just so I don't run into it while coding...

Re:Natural joins broken in Oracle 10g

[will_die]

It has been posted at http://it.slashdot.org/comments.pl?sid=207752&cid= 16939718

FUD alert

[kiwioddBall]

The Oracle database certainly has its share of security holes. But so does every piece of software. So what.

Whilst some parts of the Oracle Server can be exposed to clients, in my experience in Oracle (for 10 years) generally a back end Oracle Server is hidden so far within the data centre behind so many firewalls that it would be hard to get near it.

What causes issues is that generally Oracle userids and passwords are stored in freetext somewhere in order to access the database by an application. This is not an Oracle issue, this is an implementation issue. Any exploits around elevated privileges after login could be alleviated by securing this better on the client side.

It would be more helpful to highlight more commonly raised issues such as the one above and SQL injection. But of course this is less newsworthy and sensationalist.

But thats my 2 cents.

Check the Copyright - We Missed It...

[Guido69]

"© Copyright 2004 Argeniss. All Rights Reserved."

Must have been for 7i. Bet the response from Oracle will be something along the line of upgrade to 10g.

Bah

[iamacat]

These days databases are seldom exposed to Internet, so security exploits based on OCI or SQL problems are not important. Might as well disclose security exploits from within a driver loaded into kernel. They should disclose some application server bugs.