For a company that boasts of an “unbreakable” database, Oracle sure is being lackadaisical about a nasty clump of critical security flaws that Next-Generation Security Software uncovered back in January or February.
So far, Oracle has told the media that:
a) It knows about the flaws. That means there are no—repeat, no—issues with recreating the flaws in the lab. Thats a problem that often hampers software companies as they try to mimic the conditions that security researchers have managed to create in order to find a given glitch.
b) It has managed to create fixes. The patches are done. Theyre ready. In other words, theres no reason why your Oracle database should be sitting around with 34 security vulnerabilities that could allow buffer overflow attacks and/or remote, unauthorized access to databases via SQL injection techniques.
c) It responds as quickly as possible when security flaws are discovered. Whaaaa … ? According to ComputerWeekly, Oracle sent a statement saying, “When software security flaws are discovered, Oracle responds as quickly as possible with patches and workarounds to help protect information secured by customers in Oracle-based information systems.”
Its been a good seven or eight months since the vulnerabilities were discovered. Sure, eight months seems like it would be “as quickly as possible.” For a roomful of monkeys arbitrarily hitting keys to come up with a security fix. On broken keyboards.
The patches are ready. And yet still there resounds from Redwood Shores, Calif., a deafening silence, with no word from Oracle on when the patches will be released, nor any explanation of why this prolonged delay has occurred.
Nor is there any mention of the vulnerabilities on Oracle Technology Networks security alerts page, on which the most recent security bulletin relates to the June report of vulnerabilities in Oracle e-Business Suite.
Why the delay?
A rumor that has not been confirmed or denied by Oracle is that the company is planning to switch to a monthly, cumulative patch-release schedule, as Microsoft has done. The company is supposedly holding onto the bug fixes until it manages to ramp up this new procedure.
The rumor sounds plausible, according to Gartner analyst John Pescatore, whos been chatting with Oracle about the move. Gartner counseled Microsoft on its initial foray into monthly releases, and Pescatore told me he had a chat with Oracle a few months back on this subject, but he hasnt heard confirmation one way or the other on whether its a go.
In the meantime, should you worry about the bugs? Nah, probably not. As Pescatore and a handful of Oracle experts pointed out to me, Oracle databases tend to be pretty tight security-wise, residing as they most frequently do behind firewalls and manned by DBAs who were smart enough to become Oracle DBAs in the first place and therefore can pretty much be relied on to be smart enough to run secure databases.
Now, I wouldnt go so far as to hop on the bandwagon when it comes to criticizing David Litchfield of NGSS for spilling the beans on the bugs. Theres a lot of history between Oracle and Litchfield, but as he mentioned in a recent interview, he was finding Oracle bugs before the silly term “unbreakable” hatched in the dreams of Oracles marketing geniuses.
Still, on the other hand, bear in mind that finding bugs creates an awful lot of free press for security firms.
But were still left with this question: Why the silence? Im still trying to figure that one out, but the easy guess would be that Oracle doesnt like to wear the dunce cap when it comes to security. Thats a pity.
Microsoft deserves a heap of kudos for the security work its done since the Secure Computing Initiative was rolled out. If it keeps getting hit, its hardly surprising—when you have a target as large as a barn, youre going to suffer some gunshot damage.
Write to me at firstname.lastname@example.org.
eWEEK.com Associate Editor Lisa Vaas has written about enterprise applications since 1997.