Oracle does have a lot of resources, but vetting 252 reported vulnerabilities isnt where its people want to devote them. As it is, the automated code assessment tools Oracle uses tend to turn up false positives, John Heimann, director of Oracles security program management, told eWEEK. "These tools can help you find potential issues," he said. "But not everything found by the tools is necessarily a security bug. Automated tools arent necessarily a substitute for human thought."Thomas Kristensen, chief technology officer for the bug-monitoring company Secunia, is recognized as an impartial voice who has to deal with both vendors and security researchers. But he comes down on the side of Kornbrust when it comes to who should devote their resources to research vulnerabilities. "One can always argue that its the security researcher that should do all the work of verifying and assessing vulnerability of flaws found," he said. "But you can also say its the vendors job to find out if its as dangerous as [the researcher] thinks. Its difficult to assess who should do what. But in the end, the one receiving money from the customer is the vendor. You can say researchers are doing a lot of work on behalf of the vendor for its customers." Still, Kristensen said, its important for researchers to at least prove the concept to a certain point, to explain to the vendor what the issues are and to explain criticality to some extent. "But the full extent of the vulnerability, you cant expect security researchers to go in and do all the work to do that," he said. "Its the vendors responsibility to do that." More on companies minds, however, are two things: the time between flaw discovery and patch issuance, and patch quality. Oracle claimed that virtually all the issues Kornbrust discovered have already been fixed in the latest Oracle database release, 10gR2. It also said that fixes for all legitimate vulnerabilities affecting older versions will be released to customers in CPUs. The problem with that, Kornbrust said, is that many bugs are still unfixed in 10gR1. Thats backward priorities, he said, given that most customers havent yet upgraded to R2. "At the moment, most 10g customers are using R1 as a production database and not R2," he said. "There is no advantage for most customers that the bugs are already fixed in a newer, not used version." One blogger on Information Security News Deskrun by members of the security communityput it this way: "[Oracle Chief Security Officer Mary Ann Davidson is] right that fixes to even simple vulnerabilities still have to go through a full test and release cycle, but shes being disingenuous in claiming that Oracle has been responding in a timely manner to the notifications theyve received. They havent (and this is not new behavior)." Next Page: A lot of code to test.
And in the hands of Oracle customers, such tools can result in a stack of vulnerabilities, plunked down in front of Oracle reps, who then have to pore through them and explain away false positives.