Oracle Under Fire Over Security

Oracle Corp.'s recent acquisitions will transform the company into an enterprise software giant.

Oracle Corp.s recent acquisitions will transform the company into an enterprise software giant. But there are signs of danger ahead for the company, as reports of a backlog of unfixed software holes and buggy product patches are causing some to wonder whether the fast-growing database software pioneer is headed for a security crisis.

In the last year, Oracle has acquired Siebel Systems Inc. and PeopleSoft Inc., among others. During the same time period, the companys reputation in the security world has been muddied by a series of missteps that include faulty product patches and criticism from independent security researchers, who charge that the Redwood Shores, Calif., company lacks security discipline.

In July, Oracle was forced to fix an already- released software patch after security researcher David Litchfield of NGS Software Ltd., in Surrey, England, discovered that a database patch the company released in April didnt properly install fixed files on machines that were vulnerable. In August, Litchfield stung Oracle again with a harsh analysis of the companys Opatch utility, which Litchfield claimed fails to install critical patch components that are required to plug security holes in vulnerable systems. The utility gives Oracle customers the impression that their servers have been adequately patched when they often are not, Litchfield said.

Speaking with eWEEK, Oracle Chief Security Officer Mary Ann Davidson admitted that the company had a problem with one of 100 issues that it fixed in its quarterly Critical Patch Update.

The company did not adequately check to make sure that the patch components were installed correctly on Oracle systems where the patch was applied, Davidson said. Oracle has addressed the problem by having Davidsons security group test outgoing patches before they are shipped. In the long term, Oracle will implement a full test suite to evaluate product patches, she said.

Oracle has also come under fire for its slow response to security holes discovered by researchers. In July, Alexander Kornbrust, CEO of Red-Database-Security GmbH, in Neunkirchen, Germany, published advisories for six unpatched holes in Oracle Forms and Oracle Reports.

Kornbrust said he released the advisories after becoming impatient with Oracles slow response. He painted a picture of a company that does not communicate well with outsiders and seems reluctant to take responsibility for flaws in its products. "You send an e-mail to Oracle. The same day you get an answer that theyre looking into the problem, but then nothing happens," he said. Kornbrust said he has information on many critical bugs that are 2 or 3 years old.

At Argeniss Information Security in Parana, Argentina, founder and CEO Cesar Cerruda said his researchers have discovered many buffer overflow and SQL injection holes on Oracle database functions that are accessible to any database user, in addition to holes that could be exploited in remote attacks.

"Some of these holes are very easy to find, so I dont know why Oracle hasnt patched them," Cerruda said.

Even more troubling, Argeniss researchers are finding known, unpatched holes stretching from Oracles older 8i database through its latest 10g release, Cerruda said.

Davidson acknowledged that the company has a backlog of unpatched holes. She attributed the buildup in patches to the companys shift to the quarterly Critical Patch Update system, in which Oracle releases a large number of patches on a predetermined date each quarter.

According to Davidson, Oracle moved into the new release schedule slowly and conservatively, causing the number of unfixed vulnerabilities to rise. Starting next month, Oracle will "substantially increase" the number of fixes it releases each quarter to try to work through the backlog, she said.

Davidson has taken a public stand against researchers such as Litchfield and Kornbrust, who she said exaggerate the dimensions of security problems to get attention. "Good news doesnt sell," Davidson said, in response to a question about Litchfields criticism of the Opatch utility.

But those outside the company worry that Oracle has not embraced security as wholeheartedly as competitors have, such as Microsoft Corp., which has developed companywide systems, processes and architectures for improving the security of its products.

"Oracle is doing a good job of addressing security in its products, but they havent figured out how security fits into their internal processes and overall architecture," said Jon Oltsik, an analyst at Enterprise Strategy Group, in Milford, Mass.