IBM has patched recently uncovered security vulnerabilities in its DB2 Universal Database, but the process it followed has left some security researchers wondering if the company is too tight-lipped on the subject.
One researcher is security company Application Security Inc., which last week found two holes in DB2. These follow two major vulnerabilities, reported Sept. 17, that enable root privilege on vulnerable servers.
Patches have been posted for the vulnerabilities, but what worries Aaron Newman, chief technology officer of ASI, in New York, is that a handful of researchers knew about the two major vulnerabilities a year ago, long before patches were released.
A spokeswoman for IBM, of Armonk, N.Y., said that the company takes security very seriously and that the vulnerabilities did not affect customers. Indeed, some DB2 users shrugged off the holes, saying that securitys only as good as the administrators managing the servers.
“The security is going to be as good as your personnel are, your standards and your procedures,” said Michael Dempsey, director of database administration at UNC Health Care, in Chapel Hill, N.C.
DB2 is unlikely to be hit with Internet-slowing hacks such as the Slammer worm, which struck Microsoft Corp.s SQL Server database early this year, ASIs Newman said. Rather, the danger is from a savvier breed of attack: a targeted one that goes after salable data, as opposed to destructive attacks such as Slammer.
“[An Internet-borne virus such as] Slammer isnt the real danger with database vulnerabilities,” Newman said. “The real danger is theres a buffer overflow out there that people arent patching because theres no Slammer worm out there. I dont think worms are what people should worry about. They should worry about targeted attacks meant to steal data.”
Mark Rowe, an IT security consultant at PenTest Ltd., in Manchester, England, said theres good reason IBM keeps quiet when vulnerabilities arise. Namely, DB2 runs on so many platforms, from Unix and Linux to mainframe flavors, that it takes a long time to fix them all.
“Theyve got so many platforms theyve got to cater to,” Rowe said. “The fix process takes a long time to go through and fully test.”
Meanwhile, disclosing vulnerabilities just puts systems at risk, Rowe said. PenTest itself last week reported DB2 vulnerabilities that the company discovered in November. As soon as a fix came out in IBMs FixPak 10a, the security company deemed it safe to release the news, Rowe said.