Close on the heels of Oracles latest critical patch update, Gartner has published an advisory warning that, given the seriousness and the ease of exploit of the flaws involved, administrators have got to get over their laissez-faire attitude toward patching.
“Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur,” Gartners Rich Mogull wrote.
Oracle administrators have traditionally relied on their servers being well tucked behind firewalls, in addition to Oracles good record on strong security, and have thus oftentimes been slow to patch.
“Oracle databases have traditionally been located fairly deep within the enterprise,” Mogull said in an interview with eWEEK. “People are now used to, when a CPU [Critical Patch Update] comes out, to wait days to patch. With Oracle, they tend to wait longer. These systems run well, these systems dont have downtime issues, so administrators wait a bit of time before installing patches. … Its fairly well-understood in the industry they dont patch as frequently” as users of other vendors software, he said.
Beyond that, Mogull said, patching is sometimes impossible, given lack of support for legacy Oracle versions. “Oracle doesnt support products quite as long as some other vendors out there,” he said.
Hence, “many, many” clients are locked into older Oracle versions, since they rely on third-party applications that run on those older systems, he said.
Regardless, the current laid-back attitude toward patching is unacceptable, Mogull said. “Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet,” he wrote in the advisory.
“At least on administrators side, its time to update their management practices a bit, to better prepare” for testing and patching, he said.
This need for more nimble patching shouldnt be too onerous, given Oracles switch to a quarterly patch release, Mogull said—a circumstance that puts patching on a predictable, regular schedule.
At this point, no massive Oracle exploit has ever seized headlines a la Microsofts experience with Slammer, et al. But researchers consider the event inevitable, given that some of the discovered Oracle flaws include SQL injections, which are easy to execute remotely via Web applications, Mogull said.
A case in point is DB18, one of the 82 patches issued by Oracle in January. Security experts warn that Oracle is obfuscating the seriousness of this flaw, which would allow any user to take control of an Oracle database just by modifying a URL.
As splashy as Slammer and its ilk are, an Oracle exploit would likely be more quiet and more lethal, given that Oracle databases and other applications run in the worlds largest enterprises and thus contain far more valuable data.
“If we do see an exploit, well see worms quietly deploying and stealing information from systems,” Mogull said. “I want to give Oracle credit. Theyre the leader in databases because its a great product. Theyre used in some of the most trusted environments out there.”
Oracle has long been criticized for lack of communication regarding specifics on vulnerabilities.
“Theyre years behind the industry,” Mogull said. “Theres no other way to put it. Theyre trying to pave a path for issues that were determined long ago.”
Oracles policy toward providing specifics has long been that it doesnt want to provide a road map for hackers to exploit systems. Thus, they often patch vulnerabilities without describing what the vulnerabilities are. Both are “archaic” practices, Mogull said, that run under the assumption that the bad guys wont discover the vulnerabilities on their own.
“Those guys are going to reverse-engineer these patches,” he said. “As well as some security researchers will release vulnerability information when they get it. But Oracle wont validate” the vulnerability information, he said.
“They evaluate it, they determine what the risk is, and they tell you what the risk is, in terms of impact,” Mogull said. “Thats patronizing. If Im an Oracle administrator or security officer, its my job to measure risk to my organization, and I need the information to do that.”
As it is, Oracle has been working on better communication ever since the infamous Alert 68, Oracles first multiple-patch release. When it was released, in August 2004, Next-Generation Security Software reported 10 vulnerabilities, including buffer overflow issues, PL/SQL injection, trigger abuse, character set conversion bugs and denial of service. Customers also complained of Oracles lack of communication on severity issues.
Since then, Oracles move to faster communication can be seen in the aftermath of the malicious Voyager non-activated worm code. Even though the non-worm was the result of insecure configuration on Listener accounts and not the result of a code flaw, Oracle rushed to get information to customers regarding proper configuration.
Still, Mogull said, he expects better from a company with such good security features. “They have some of the best security features on the market,” he said. “Theyre years ahead of their competitors. But all of that is negated because of their cruddy disclosure policies. I cant rate that product highly as a secure product. I dont care how many features you have.”
Oracle hadnt yet responded to a request for comment by the time this story posted.