Oracles Patch Dilemma: Balancing Customers, Code and Researchers

By Lisa Vaas  |  Posted 2006-01-12 Print this article Print

News Analysis: An eWEEK tour of Oracle's security practices reveals the database maker's stance on researchers' findings as well as how seriously Oracle is taking customers' complaints as it battles to reduce patch time while improving quality.

Brace yourself: Another quarterly CPU (Critical Patch Update) is due out from Oracle Corp. on Jan. 17. With it will come what customers refer to as a nightmare of testing to ensure that the patch set doesnt break anything. If history is any guide, the event will soon be followed by headlines that scream about unpatched vulnerabilities left open for months upon months, and/or security researchers will point to Oracle patches that dont properly install fixed files or dont fix what they were supposed to. Security expert David Litchfield claims an Oracle security patch overlooked a critical hole that could leave Oracle databases open to remote attack. Click here to read more.
Enterprises are split regarding whom theyd like to draw and quarter: the security researchers who reveal unpatched vulnerabilities, or Oracle for sitting on vulnerabilities so long. But one thing is clear: Going forward, a more balanced look at Oracles security handling will begin to emerge.
Thats because, on Wednesday, Oracle took the first step toward abandoning its no-comment policy on security issues, opening its security processes up to a daylong probing by the media, with eWEEK being the first guinea pig in the experiment. This could be big for IT people in the trenches: It could herald the end of C-level executives squeaking in alarm over headlines that database administrators tend to disregard because they believe their Oracle technology isnt at great risk. Security experts call Oracles patching process slipshod and ponder whether the company needs a security makeover a la Microsoft. Click here to read more. The history of how Oracle has approached security is a long one, but when it comes to talking about security problems, the company says it has always put its customers needs first—hence the no-comment policy. Why Oracle changed its mind is a long story. But the straw that broke the camels back came in November. It came in the form of a report from security research Alexander Kornbrust, of Red-Database-Security GmbH, which stated that Kornbrust had found some 252 unpatched holes in Oracle Database 10g. Thats a lot of holes. And it made a lot of Oracles customers jump on the phone. Oracle told customers that an initial analysis of Kornbrusts findings determined that the majority—164—were false positives. Oracle Senior Management of Software Development Mark Fallon told eWEEK the actual number of real flaws was "a lot lower," and an Oracle spokeswoman said she believed it was on the order of about 10. The company said that the high number of false positives are due to the fact that Kornbrust used a simple search rather than a data flow analysis. Indeed, Kornbrust used a simple text editor to find the SQL injection bugs in 4 hours in a hotel room in Sweden, he told eWEEK. Hes not embarrassed by the unsophisticated tool, though, given that even one exploit would be a worthwhile find. "Keep in mind that a hacker only needs one working exploit (zero day), not dozens or hundreds," he said in an e-mail exchange. Within those 4 hours, he wrote three working exploits that allow privilege escalation, he said. As for using data flow analysis, Kornbrust said thats out of range for a small outfit like his. "I know that a proper data analysis takes a lot of time and eliminates the false positives," he wrote. "Oracle has a lot more resources than Red-Database-Security, and Im doing this in my free time, and Im quite busy at the moment." Next Page: Devoting resources to research vulnerabilities.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel