Oracle Users Shrug at Security Woes

News Analysis: Are they in denial about scary-sounding security flaws, late patches and patches that need patching? No, users say, they're just locked down tight and don't find the bugs as troublesome in reality as they are in headlines.

Along with Cisco Systems Inc., Oracle was a choice whipping boy at last weeks Black Hat USA security conference. Regardless, Oracle users remained nonplussed by revelations about Oracle security both leading up to and coming from the show.

"In general, Oracle databases are subject to many fewer security attacks than are Microsoft [Corp.]s database and Microsofts other products," said Howard Fosdick, an independent consultant, president of FCI, and founder and past president of IDUG and CAMP, in an e-mail exchange. "[And] I think most Oracle users would agree that Oracle provides patches in a manner timely to any issues."

At issue are not only the security flaws themselves, but also how quickly Oracle patches known vulnerabilities and how well it patches those vulnerabilities.

To wit: At Black Hat, Alexander Kornbrust, founder and CEO of Red-Database-Security GmbH and a security researcher known for exposing Oracle product flaws, planned to demonstrate a simple way to crack the encryption used by Oracle database products.

Kornbrust maintains that DBMS Crypto and DBMS Obfuscation, two encryption features that ship with Oracle database products, can be cracked to reveal sensitive corporate data.

In the weeks leading up to the show, Kornbrust also warned that Oracle failed to patch several critical flaws for a period that now exceeds 700 days.

On top of that, Oracles CPUs (cumulative patch updates) for April and July both turned out to be flawed and in need of further patching.

The flood of negative news spurred Oracle to emerge from its usual silence on security headlines. Last week, Oracle Chief Security Officer Mary Ann Davidson wrote an article in which she said that self-interested security researchers who publish flaws before patches are available endanger the industry with their thirst for fame.

/zimages/5/28571.gifCharles Garry says that database vendors shouldnt kill the messenger when it comes to security flaws. Click here to read more.

Oracle users interviewed for this article agreed with Davidson.

"As for those researchers who let exploits and exploit code out of the bag … Well, lets just say that hanging, drawing and quartering is too good for them," said Dick Goulet, a senior Oracle DBA and Oracle Certified DBA, in an e-mail exchange. "And so what if it takes the vendor 700 days to patch the hole. It should be up to the vendor to open Pandoras box if they so desire, not these educated idiots. … They found an exploit, whether or not known by the hacker community, [and] why on earth would you want to place everyones data at greater risk by publicizing it? All you fuel is more attempted exploits."

While some database experts find Oracle users tranquility a sign that their heads are in the sand, given the flood of negative news, Oracle users say that their databases are generally tucked so carefully behind firewalls and tended to with such care that theres little need for concern.

/zimages/5/28571.gifCharles Garry writes that Oracle users are in denial when it comes to security bugs. Click here to read more.

"We dont have our databases exposed to the Web, so hacker attacks are not much of a priority," Goulet said.

Next page: Bugs are difficult to exploit.