Security Disclosure Debate Erupts at Black Hat

News Analysis: Oracle reacts dismissively to an alert released by a British security researcher highlighting a zero-day hole in its product line, rekindling debate on the broken disclosure loop. Will it ever go away?

There was an uncharacteristic edge to David Litchfields voice when he took the stage at the Black Hat Federal Briefings in Arlington, Va., this week.

Five minutes into his presentation—which centered on an unpatched vulnerability in the Oracle PL/SQL Gateway—it was clear that Litchfield, a noted database security expert, had completely given up with trying to nudge Oracle into fixing a flaw he rates as "very, very serious."

"Its quite astonishing how backward they are in their approach to security," said Litchfield, co-founder of London, U.K.-based NGSS (Next Generation Security Software).

A few hours after Litchfield went public with a technical description of the flaw, including a blow-by-blow demonstration of ease in which an attack could occur, Oracle lashed back, accusing the British researcher of putting its customers at severe risk for selfish, irresponsible reasons.

Duncan Harris, senior director of security assurance at Oracle, acknowledged receipt of Litchfields original warning three months ago and confirmed that some customers were at risk of SQL injection attacks.

"We have a policy where we fix bugs in severity order. This one wasnt fixed yet because we dont think its as severe as [Litchfield] thinks it is," Harris said in an interview with eWEEK.

"There is a big disconnect in terms of what Litchfield believes and what we know to be true."

Even as he downplayed the severity of the flaw, Harris said Litchfields decision to go the way of "irresponsible disclosure" was a "dangerous thing to do."

/zimages/3/28571.gifClick here to read more about an Oracle zero-day flaw announced at Black Hat.

"He has put out a workaround that is completely insufficient and inadequate. We cant endorse his workaround because it will break a number of Oracle products. He doesnt help anything with this irresponsible action," Harris said.

The tiff between Oracle and Litchfield rekindles an old, never-ending debate on the issue of responsible disclosure and underscores the need for an acceptable protocol for cooperation between independent researchers and software vendors, says Jeff Moss, founder and CEO of the popular hackers conference.

Moss himself became entangled in the debate last summer when former ISS (Internet Security Systems) researcher Michael Lynn quit his job on the spot to present the first example of exploit shellcode in Cisco IOS (Internetwork Operating System), a Black Hat presentation that landed him in legal hot water.

Six months later, Moss maintains that the security research disclosure loop is broken, and may never be fixed.

"Youve written this story before, and Im pretty sure youll be writing this story five years from now," he said in an interview with eWEEK moments after Litchfields presentation.

"If everyone plays right, the [disclosure] process works. But, there will always be the companies like Oracle who refuse to play by the rules," Moss said.

"Here we have the researcher spending all this time finding these flaws, and his only reward is public recognition for his work. Its free quality assurance for Oracle, but they dont see it that way. They see him as an irresponsible hacker and miss the bigger picture."

/zimages/3/28571.gifRead more here about the debate surrounding disclosure practices.

"On the other hand, Litchfield feels he is being taken advantage of. What else is he supposed to do? In his mind, Oracle is the irresponsible party. Hes doing free work for them and theyre dismissive. Thats a big, big problem in this industry," Moss added.

He said Oracles decision to publicly denounce the work of legitimate researchers only serves to push the discussion into the underground.

"You have two conversations going on. There are guys like Litchfield who find the problems and want to report them to the vendor. When Oracle talks about them being irresponsible, they arent talking about the organized crime groups who will never play nice. Thats the unfortunate thing."

Next Page: Microsoft: A good example?