At this point, no massive Oracle exploit has ever seized headlines a la Microsofts experience with Slammer, et al. But researchers consider the event inevitable, given that some of the discovered Oracle flaws include SQL injections, which are easy to execute remotely via Web applications, Mogull said. A case in point is DB18, one of the 82 patches issued by Oracle in January. Security experts warn that Oracle is obfuscating the seriousness of this flaw, which would allow any user to take control of an Oracle database just by modifying a URL."If we do see an exploit, well see worms quietly deploying and stealing information from systems," Mogull said. "I want to give Oracle credit. Theyre the leader in databases because its a great product. Theyre used in some of the most trusted environments out there." Oracle has long been criticized for lack of communication regarding specifics on vulnerabilities. Oracle faces growing criticism about poor quality patches, known vulnerabilities left unpatched for too long, and poor communication about vulnerability specifics. At customers urging, its now working to turn it all around. Click here to read more. "Theyre years behind the industry," Mogull said. "Theres no other way to put it. Theyre trying to pave a path for issues that were determined long ago." Oracles policy toward providing specifics has long been that it doesnt want to provide a road map for hackers to exploit systems. Thus, they often patch vulnerabilities without describing what the vulnerabilities are. Both are "archaic" practices, Mogull said, that run under the assumption that the bad guys wont discover the vulnerabilities on their own. "Those guys are going to reverse-engineer these patches," he said. "As well as some security researchers will release vulnerability information when they get it. But Oracle wont validate" the vulnerability information, he said. "They evaluate it, they determine what the risk is, and they tell you what the risk is, in terms of impact," Mogull said. "Thats patronizing. If Im an Oracle administrator or security officer, its my job to measure risk to my organization, and I need the information to do that." As it is, Oracle has been working on better communication ever since the infamous Alert 68, Oracles first multiple-patch release. When it was released, in August 2004, Next-Generation Security Software reported 10 vulnerabilities, including buffer overflow issues, PL/SQL injection, trigger abuse, character set conversion bugs and denial of service. Customers also complained of Oracles lack of communication on severity issues. Since then, Oracles move to faster communication can be seen in the aftermath of the malicious Voyager non-activated worm code. Even though the non-worm was the result of insecure configuration on Listener accounts and not the result of a code flaw, Oracle rushed to get information to customers regarding proper configuration. Still, Mogull said, he expects better from a company with such good security features. "They have some of the best security features on the market," he said. "Theyre years ahead of their competitors. But all of that is negated because of their cruddy disclosure policies. I cant rate that product highly as a secure product. I dont care how many features you have." Oracle hadnt yet responded to a request for comment by the time this story posted. Check out eWEEK.coms for the latest database news, reviews and analysis.
As splashy as Slammer and its ilk are, an Oracle exploit would likely be more quiet and more lethal, given that Oracle databases and other applications run in the worlds largest enterprises and thus contain far more valuable data.