Page 2

By Lisa Vaas  |  Posted 2006-01-25 Print this article Print

At this point, no massive Oracle exploit has ever seized headlines a la Microsofts experience with Slammer, et al. But researchers consider the event inevitable, given that some of the discovered Oracle flaws include SQL injections, which are easy to execute remotely via Web applications, Mogull said. A case in point is DB18, one of the 82 patches issued by Oracle in January. Security experts warn that Oracle is obfuscating the seriousness of this flaw, which would allow any user to take control of an Oracle database just by modifying a URL.
As splashy as Slammer and its ilk are, an Oracle exploit would likely be more quiet and more lethal, given that Oracle databases and other applications run in the worlds largest enterprises and thus contain far more valuable data.
"If we do see an exploit, well see worms quietly deploying and stealing information from systems," Mogull said. "I want to give Oracle credit. Theyre the leader in databases because its a great product. Theyre used in some of the most trusted environments out there." Oracle has long been criticized for lack of communication regarding specifics on vulnerabilities. Oracle faces growing criticism about poor quality patches, known vulnerabilities left unpatched for too long, and poor communication about vulnerability specifics. At customers urging, its now working to turn it all around. Click here to read more. "Theyre years behind the industry," Mogull said. "Theres no other way to put it. Theyre trying to pave a path for issues that were determined long ago." Oracles policy toward providing specifics has long been that it doesnt want to provide a road map for hackers to exploit systems. Thus, they often patch vulnerabilities without describing what the vulnerabilities are. Both are "archaic" practices, Mogull said, that run under the assumption that the bad guys wont discover the vulnerabilities on their own. "Those guys are going to reverse-engineer these patches," he said. "As well as some security researchers will release vulnerability information when they get it. But Oracle wont validate" the vulnerability information, he said. "They evaluate it, they determine what the risk is, and they tell you what the risk is, in terms of impact," Mogull said. "Thats patronizing. If Im an Oracle administrator or security officer, its my job to measure risk to my organization, and I need the information to do that." As it is, Oracle has been working on better communication ever since the infamous Alert 68, Oracles first multiple-patch release. When it was released, in August 2004, Next-Generation Security Software reported 10 vulnerabilities, including buffer overflow issues, PL/SQL injection, trigger abuse, character set conversion bugs and denial of service. Customers also complained of Oracles lack of communication on severity issues. Since then, Oracles move to faster communication can be seen in the aftermath of the malicious Voyager non-activated worm code. Even though the non-worm was the result of insecure configuration on Listener accounts and not the result of a code flaw, Oracle rushed to get information to customers regarding proper configuration. Still, Mogull said, he expects better from a company with such good security features. "They have some of the best security features on the market," he said. "Theyre years ahead of their competitors. But all of that is negated because of their cruddy disclosure policies. I cant rate that product highly as a secure product. I dont care how many features you have." Oracle hadnt yet responded to a request for comment by the time this story posted. Check out eWEEK.coms for the latest database news, reviews and analysis.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel