There was an uncharacteristic edge to David Litchfields voice when he took the stage at the Black Hat Federal Briefings in Arlington, Va., this week.
Five minutes into his presentation—which centered on an unpatched vulnerability in the Oracle PL/SQL Gateway—it was clear that Litchfield, a noted database security expert, had completely given up with trying to nudge Oracle into fixing a flaw he rates as “very, very serious.”
“Its quite astonishing how backward they are in their approach to security,” said Litchfield, co-founder of London, U.K.-based NGSS (Next Generation Security Software).
A few hours after Litchfield went public with a technical description of the flaw, including a blow-by-blow demonstration of ease in which an attack could occur, Oracle lashed back, accusing the British researcher of putting its customers at severe risk for selfish, irresponsible reasons.
Duncan Harris, senior director of security assurance at Oracle, acknowledged receipt of Litchfields original warning three months ago and confirmed that some customers were at risk of SQL injection attacks.
“We have a policy where we fix bugs in severity order. This one wasnt fixed yet because we dont think its as severe as [Litchfield] thinks it is,” Harris said in an interview with eWEEK.
“There is a big disconnect in terms of what Litchfield believes and what we know to be true.”
Even as he downplayed the severity of the flaw, Harris said Litchfields decision to go the way of “irresponsible disclosure” was a “dangerous thing to do.”
“He has put out a workaround that is completely insufficient and inadequate. We cant endorse his workaround because it will break a number of Oracle products. He doesnt help anything with this irresponsible action,” Harris said.
The tiff between Oracle and Litchfield rekindles an old, never-ending debate on the issue of responsible disclosure and underscores the need for an acceptable protocol for cooperation between independent researchers and software vendors, says Jeff Moss, founder and CEO of the popular hackers conference.
Moss himself became entangled in the debate last summer when former ISS (Internet Security Systems) researcher Michael Lynn quit his job on the spot to present the first example of exploit shellcode in Cisco IOS (Internetwork Operating System), a Black Hat presentation that landed him in legal hot water.
Six months later, Moss maintains that the security research disclosure loop is broken, and may never be fixed.
“Youve written this story before, and Im pretty sure youll be writing this story five years from now,” he said in an interview with eWEEK moments after Litchfields presentation.
“If everyone plays right, the [disclosure] process works. But, there will always be the companies like Oracle who refuse to play by the rules,” Moss said.
“Here we have the researcher spending all this time finding these flaws, and his only reward is public recognition for his work. Its free quality assurance for Oracle, but they dont see it that way. They see him as an irresponsible hacker and miss the bigger picture.”
“On the other hand, Litchfield feels he is being taken advantage of. What else is he supposed to do? In his mind, Oracle is the irresponsible party. Hes doing free work for them and theyre dismissive. Thats a big, big problem in this industry,” Moss added.
He said Oracles decision to publicly denounce the work of legitimate researchers only serves to push the discussion into the underground.
“You have two conversations going on. There are guys like Litchfield who find the problems and want to report them to the vendor. When Oracle talks about them being irresponsible, they arent talking about the organized crime groups who will never play nice. Thats the unfortunate thing.”
: A Good Example?”>
Litchfield, ironically, thinks Oracle is the exception in an industry where Microsoft, IBM and other big-name vendors have totally accepted the work of hackers to do independent code audits.
“The process is quite mature. Its not perfect, but it works,” Litchfield said. “Occasionally things go wrong, but I wont say its a broken loop.”
“Look at Microsoft. Every year they release between 50 and 60 security bulletins. They dont cause a blip because they have a process that works very well. Of course, you have the occasional case when someone will post a zero-day but thats not because Microsoft is not responding. Microsoft has a perfect process to handle the back-and-forth with researchers reporting a vulnerability,” Litchfield added.
“Oracle loves to criticize Microsoft, but they really should be learning from Microsoft. Im sorry, thats just a fact,” he said.
Black Hats Moss agreed that Microsoft, which was once a pariah in security circles, is now the standard by which others should be forced to operate.
“Microsoft is the example of how to do it. Oracle is how not to do it.”
Moss has some proposals for fixing the loop. For starters, he suggests that businesses actively encourage security research through research programs.
“If it can be structured and documented publicly, then everyone knows the rules. They know who to contact and they know there is a process that treats the researcher with respect.”
Moss also called for a legal clarification on the status of reverse engineering for security purposes under the DMCA [Digital Millennium Copyright Act].
He said this would provide some legal stability for bug finders and discourage malicious legal attacks designed to stop researchers from publishing their findings.
“The alternative is underground research and anonymous bug postings. I dont like to advocate more and more laws, but what I do want is some clarity from the courts and direction from the law makers,” Moss added.
“If you discourage and prosecute hackers who are doing free work for you, you not only antagonize them but you push them into the underground and into the wrong hands. There are already some zero-day mailing lists that only accept you if you submit a zero-day exploit of some significance. Theres a fair degree of trading already going on.”
Litchfield believes Oracles customers must agitate for top-down change at the Redwood City, Calif.-based vendor.
“Oracle really doesnt understand that I dont have to tell them anything. Security researchers dont have to play by their rules. We choose to act responsibly and wait for them to fix things. But, when they take 200, 300, 800 days, we just cant sit around and not say anything.
“Whos being irresponsible here?” Litchfield asks.
Thats a question thats been around for a very long time. And it just isnt going away.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.