Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


On Security, Is Oracle the Next Microsoft?



 By: Paul F. Roberts
2005-09-16
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. On Security, Is Oracle the Next Microsoft?
  2. ' Unpatched Holes Keep Adding '
  3. ' Can Developers be Relied '

Rate This Article:
Poor Best
On Security, Is Oracle the Next Microsoft?
( Page 1 of 3 )

Oracle, despite being a database software giant, is widely accused of having lackluster security, and experts suggest the company clean up its act in the same vein as Microsoft.

Oracles acquisition of PeopleSoft and Retek for more than $11 billion in recent months, together with the planned purchase of Siebel for $5.88 billion, will transform the company into an enterprise software giant.

But there are signs of danger ahead for the Redwood Shores, Calif. company as reports of a backlog of unfixed software holes and buggy product patches cause some to wonder whether the database software pioneer is headed for a security crisis.

In the last year, Oracle Corp. was muddied by a series of mishaps and missteps that include faulty product patches and withering criticism from independent security researchers, who charge that the company lacks security discipline.

To read more about Oracles $5.85 billion acquisition of Siebel, click here.

Resource Library:
The companys senior security officer defends Oracles ongoing work to improve the security of its products. But experts are concerned that Oracle lacks a coherent plan to make all its products more secure.

In July, Oracle was forced to fix an already released software patch after security researcher David Litchfield of NGS Security Software Ltd. in Surrey, U.K., discovered that a database patch it released in April didnt properly install fixed files on machines that were vulnerable.

In August, Litchfield stung Oracle again with an analysis of the companys OPatch utility, which he said gave Oracle customers the impression that their servers were adequately patched, when they often were not.

Speaking with eWEEK Magazine, Oracle CSO Mary Ann Davidson admitted that the company had a problem with one of 100 issues that it fixed in its most recent quarterly Critical Patch Update (CPU).

Davidson admitted that the company did not adequately check to make sure that the patch components were installed correctly on Oracle systems where the patch was applied.

The company has addressed the problem by having Davidsons security group test outgoing patches before they are shipped. In the long term, Oracle will implement a full test suite to evaluate product patches.

Oracle has also come under fire for its slow response to security holes that are discovered by independent security researchers.

In July, Alexander Kornbrust, CEO of Red-Database-Security GmBH in Neunkirchen, Germany, published advisories for six, unpatched holes in Oracle Forms and Oracle Reports, including one "high risk" hole that was more than two years old and could be used by a remote attacker to overwrite files on an Oracle application server with nothing more than a Web url.

Kornbrust said he released the advisories after becoming impatient with Oracles slow response.

In e-mail and phone conversations with eWEEK, he painted a picture of a company that does not communicate well with outsiders and seems reluctant to take responsibility for flaws in its products.

"You send an e-mail to Oracle. The same day you get an answer that theyre looking into problem, but then nothing happens," he said.

Read more here about the challenges Oracle faces now that it has bought Siebel.

Kornbrust said he has information on many, critical bugs that are more than two or three years old.

The same is true at Argeniss Information Security in Argentina, where founder and CEO Cesar Cerrudo said his researchers have discovered many buffer overflow and SQL injection holes on Oracle database functions that are accessible to any database user, in addition to holes that could be exploited in remote attacks that dont require the attacker to log in to the database and could be used to crash a database server.

"Some of these holes are very easy to find, so I dont know why Oracle hasnt patched them," Cerruda said.

Next Page: Unpatched holes keep adding up.





  Reader Comments: On Security, Is Oracle the Next Microsoft?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}ks㶲*Q3Co{)ْ:,K3>*-EAc!)J6~bvKJc2;NƖ4Fw?HtiI-JΰQå&}$jFUeqԭf 1ey3H>uՌAmp;|/s=NN%j'~U3cFP6z2ٱ9:1 f Eg h{=Dm@~f(ELex"Z|gvL~ThG99&y%Q5EhDԨ#|Oad^x/4;U;f8&1ë |'3hV\0B΄; ۺ{G}ېJ3v"QcOj$ѡ%q˝LJAtX}w 5qar*rHtGwM:"nKu`;slqtMzcB3EuO_CԿ(ওʀs;8b#U6<}ezԽ / Ḻo:v0,2q騚˲>9h42M}ٰN4PheE9ɕŊEi2̙e gΨ6o{UMSJ{պGAnnp[^׵Vhn:y\u>5//Ƀ-NNw߈ Q"*b.w2I1zju{ i%oPK%_iv$f1\ӣH0F^8RAb9m5O{ Ҽ5ooZ&5.NoZs$oIJ3<RIӀH ZvFMzEyuvy4Zg.gg: Wh:M?)N/7#?!qj{zdPp8LsrP{$&Ped$Y͝r / !=W=nr*C2qew,nGbeQc5CaM<`~x搒ɔcPu tCfJ[c/U Շ7}SIs9j\K=0F & J pJq䠉3\ش 6,%hJH{g80TA0mv:]P8y3Dqɽ g/F/r.!}th8y*^̆4,*9;O?]/7KDi,,Ⱥs5-w1tY?i^:vެ>4{ݹvS?4AW"yƆƇh%",$uu騕toR7)iuvi|Q}Ѧ>R0}ݘiH'0\+Kݺ~N߳=U }sJY5UD$ l"C0Ixe&S@yOs L΃ށ27C/ FlMn@X^0{D`^@Z8ppyY?90C]q|bsB3=kќu&ܠ>Ψ C|'s\(L7^"" EEKi@  $hNar.lP^IHX-VpD ]'8.W BH {TKh+K@f:30YIBM& X* #n"09X ,gZ X%sZ!m0*gu8u/#JAQR×U^ğLŝ=CZasßOϡ GDx~GEڛPe ^whd&,'1SGT%]L"z ͇f )=PGddGɚ)OMThWfs&uי2hC ̇,g{*˗(Vzq}=ep? X(ܼ?iR5G|@]8?+uPƒ"`,+$2[mnv(d־j;NrBHSJ, Lj@'mdׇMR?q6Nq :SXh8ECW4jE;R4[ͦ[{ց$l #ʴ.ZX![q5ok )`|M("XR vϹ5Ӳ =r"sz QIJеcc926qw jrNս Kˌ٪MJ'V)|rc1 g%AqsGNm(%m$=sf4-]tg`ۉ3=p6LgbBmg6q sOЭ,pZV501sA'ű@b=]:P]L^^X.Wꚲ#]եޥ9$AYX#&:]4̄+udZ#TLk \}6؈y֚o'bAɩjEclq-Z`b9FkfSg`ZlrG8cJREyn{#Qքc'M=XtyYW>P!as`E . ڀ6 HK}"T90|*U%ˈ`S@@kSU ㈛.ZE^v~V%Ŵ밢Ԙ}Rː 0gxWyd{.>3ITʥvthEU-NjTBgUtveGOfԀA_}ԁd}sX̝V*}zK]W>sAWμ+ ۟0E<&&{#KeX}0t!#'8@zU0eESU[+;ߟ?F]h6B\4<`5 pfnWQ=K+j9['BO.x;z6G}; !\QӲ( @x(8܎:-(W` >v1Ǩj 05-dpUUJrNe߯yQ/^tn)5# #2>pgrh)h f5 8};N`[9r欭p+,s Jb+ͤV(Ecߛ޲Uzv}joCwu1UOg*})#ʜyoS Y-q'&.R^pT31fkg#>/ciɕ",߸/̉go3X唲Z<1lz tq6v!ŏhȇermfًC~!=բA緢q[gKZPb> +8rinY+#t0-<7W" "l; e|פXɁ厈2Ov^Iў|2d6 j>c+jBgej@͎skqmgiV6p]w3M"> h zlɪ+> tV\9'gI;"cDtwU4qzh7(۞jMp͙Oh#;wk?ʾ>AUR%| ۖ bHa!`$_,?#bEOP?o\,*\vI ^`|"@-`'d8o -"} ‚'T&nz_L&WF@"'!Z+Ԣ3,qv_ōyAhpqN9l_<<:^?jeIlsE6 6cJ~Zg^p t(+m5z$}UO:[?t[V0yOE˅+Kx4uhNJ~pxՐZ&?LeB&fB, 8oOHrQ^LE{{]o4ZW^6xv< 244r:m]к_>\vn)rٺjJ^GzkQ\ R?!pSf&8aڍ6Nr,#ZY?80fKiWa@ ձtnN,SVXS!}->mP4èO؆k*I֭ Bb.·߅B!lL'@w5FO.Ս A/ֳ}s@לO)|sE1|`'2,|eԪfn8Eq,ܚ13m/hաcݮ, #sá3M!H׼!Ͻ  .#AIԂ.3Q' 6l 2'|4KO$hͱ;nV>qBΚ9lw[÷ܓ9̆ÿA:CAwl'LUjx P?'v'c: I"IVU)yȪ̙S9OGg^q,8&ioҁ{W&-3(m#u8_2{K7+<|{xY aOU7]dKwK]åMzJ {9php;ث%ދJQǛyirГEBãCk&bi8W3[Tfȵo ?U'|ȞcԴ؉Ek&z}X3?zԯk@[ɰ=DΙ a dC%F;euw';c³D`H@7=éfgfvA j8itpfU0p18\}5߉:v"YcCƓdǟ໲6YP|9ߍ9S{G4j Z*2kp+cS;K//.̼V&R~2*wWƥ`5DܴXNuߘp:Sk~qU*[6uybQDHwt uF MZ.v&fĬՍ !CA̓bA%<(n*t:׺b:X9~'Cq $܋eѐ@X J11Et܋A(NLb*:}Q I]%Q0|8Vc"Pď?a8U0rFs$s*/敋㆔c̗|'%C$]q"v/.*Q=RfI,q`S9eQH ⛯xǤcViyCbg !_J|\IєT `vwu‡7jIHjmX\ iO'hg+*̃/V7,da7եSD"L1#AP $) [>&!dBƍHZLa|$Dc䞋s!EEIQ%UەFᲤ-]PhPp#!Ǜx5 pP{B}bYvSKJS7{ȧ9U} R8 to$KN`I8LW0I3$ѯ7bg}$i;‹ 7aЀ t-$à!Ú_*:`FU.:W2@n#Rj=u;ɱ-a3*|jYsHADHf2|S4SkOzZ~W+{*f0J=w!ZVGucDwe#+8 }>hmמTm_* WDe,#c%II+jnoooo/-T jH^6_X>X0M9yR/;.bj런> OD}߬]`,:S˨g 6G])EC$\:@ inh.6B H!Ec ^pq)h=ҎT{)iPb95mov.fG'Q܃"]1% H" !HDAJ!WAגzjϨ#_ER =3.ӻ"BȨ`$y+E@ J3Myw$.] ~M:^Ɓ%SDm Nx |'>f'1_ (V{1P;ylERt{R{!TtSKwCү05^#{H B˨R[|)iyKVg|Psw8؃VOū%-ʆlyT@en*aP~i$y:^jOɕ]ܗa93939393RT 0PjAj;/5gkC2cQ=g/;3,{11`x)D8$<aͪ ~e \h{}k|i&KYBbΘO9"7gLD(j!+{60u<vxm_H"8N .# Tw7SRH>X`("? q; JaL>JW):=zbj[^x}w̃ +Eug~P=o 1m+́c4چwtX8Uՙ{b@]nSfNUHXʦn8ڦ/ sjܐӢ[hL NLPैRJXU" aկaaնH}g|+-v??Fj Z'ɐ{vY:Kvlr+S]NSX͜nY N_WP(&ɸ/]~ֿu͋$ xc]oLl߼S ٩Ս9IIͼ=ڮl0K# ۀڎc l s$0WU5L {E\[K#˺tӕlaoJY,Z_KGlr{,GüCg؂_]ߓLFTce։ ɣV(dNHޘhSƚetz-16_}tEj7xPAft~'D)(=M% *c Ni:.M]"czD~RJ~ Ƅ`NgApI)(<:߇%8ȨQ?(p 1'{@=m ]=On/`+Ek)G>?|:%5&W.&F]kACgO`]?#=sʳAY.6鳏bi/r ]&~'z1π`ƖC0Uztc "D6J/%`#{n/~݉K6G&KI= 4yَLD5wn͜Ot 6جgQLʋG/.9W#=`\XY/&Yqo;ͳ.0$&ngtA.t[M@ئҶͨaksa\_ Ȋhd㝨=)z {nc|30] W1vRRm4h%j) :Lj{xbJbN!f&ɝ7 gFX usؾ[!VVߞĶru Zc>_E_Med8S:&?xMLSpX;)Gґޒ]q?}m@1"V3?rq\n\w t$rM(!ibwFyUW(9 cDTROa@9P=SbX"b\1Q(px ~2&f#"CP 6@א0Hall\gJp24G#1Cc 69ӈ1i}6bYZPbAmУ5:k?,Q X G3wȥ4͒/쬄; Dj`T;&]α"@; g o cn Q@ݘJ xIu~kR6sЁ"([]ă0>]wى_}O*Pn1YΌoUKr$@w#PcA~2Ll@Ĕ0ȗ$&Ѕ8h,.@"!9͉+1a]?'#~;Ŝk'6G-Lq{@a`1DGMMo )nyෝ6ঢ়626g;>@DJ'(R~)R{2W?W)sw2'?I/@)q SܤOMM诗BA6B_SZ9S>>oʁ~oSڿMi6NRS~ SӔBvB/"ȋ%৴rXB]WV=-b%xG,ElDZJCslžȞ0]QGl`]#=D~s)sҗe*msqj~@ @8ξrmv-~_x&@_q{ZGõ;Tu8ښ }3/߆rH'8+s8=4w)oRgUjpO_iR97pg >$UR1iybP*fN?Nnm75 ="&{HTMVY)q0ZQ%r(x%h[ioC-ˡǎ!p<@f݊5G P#tl=*ǫXڼx0,|yN؛ڎx @7 J,s@3ę{}xU}ƪ1iR  dD2y`p䣷d(>pi{Ìr >fݻz4=z<83mJ)F T |uixL$pgB-Kd1EXeD˦U憬ڂa jד=7;n%cH$QUe dHtjYl%21wHvP,dj#KDxaw. ]C/h{ojFEN,.p;70%7ן1˧~98=}v͘2 .Z)mĤ%oG;D7&FӴoErj9)Gu Z}Q&O4"4Vb"Oˉ35ƺ-7 ?~>nc[:3t ճ{Lmbx~ԙ%̋_ԻcW@ǹ~rhzr$\tEeבe$&JhZwE!-]q<ƄQ`At[ #,xH^*Ӻf$ӣM-ONtk.|cW >1v^@>Fыp`HzBG>&Ġ)`e h k۩8`=*s&zu Th8WS뚈1e#[I%i{j93鱿ä$Vr.V=n@UVAkL=SY,> ^?,J~%B*π MLz>K:"S2Q)jkI/?kuؽXDv+NŽ%}Ya v.~eP#t\҈T~R'9"E oPmJO{G}o ,AS6VoƾO3A>Xngp0Ŭ¡Ѷx ‹d2֭0ŵ : <VulםD dd9c7 掠pL%^]:|?Oe Mt0/o9kn>ʷa$L >zQdeRb05yMvSc ?dxE#bWp!@PEV*R8W KQ)YLAł=Qg&;KI.`ti2SQ"j-v6sNAeӵhWYn|`d-k^F:m`p ۂ{!}R>F+ ]'[ۧ3й?-}b/ e{m *| X ` GYu`kr[1-E6<܈Bx?ƃna@Z^sLN ^g{UTM)4m-^FE}YtxAwC\7oxa__JQ´Bd/KW±0^١C"ˣŬ"&D0Ȯ'o=g }&bԌaBbr =L$g8% ^೐l,/A,DT/D4;N79'_yfOȅ1,#{ĊN|\ kYy'ۭ<|P# ITO(V2p;^S|ֹD`g`/=!/ZK xsh&A0}zѺ/9uO+_1d͆-<G93UU+jX;hdn+:cQEaqzRQN v&bmS?۔U:M\"Zk/!zP.էr0:df֎Mn3a-dcˤ_ ?)