|News Story by
AUGUST 09, 2004
Oracle Corp.'s ongoing effort to portray itself as a
vendor of "unbreakable" technology received a setback last week
when a British bug hunter disclosed that he had found 34
security vulnerabilities in the database vendor's products.
The flaws include several that could allow malicious
attackers to gain complete administrative control of compromised
database servers, claimed David Litchfield, managing director of
Surrey, England-based Next Generation Security Software Ltd.
"They include buffer overflows, SQL injection issues and a
whole range of other minor issues," said Litchfield. He said
that he reported them to Oracle in January and February
following his discovery.
"Some of them can be exploited without a user ID and
password, while others require them," Litchfield said. He
refused to provide further details of the flaws, citing his
concern that doing so before patches are distributed could pose
a security risk for users.
Some users defended Oracle's security record.
"I'm always very concerned about any flaws," said Howard
Muffler, director of enterprise services at Embry-Riddle
Aeronautical University in Daytona Beach, Fla. But the
university, which licenses a wide range of Oracle products, has
had few security issues with them so far, Muffler said. "Oracle
has always done a very good job of addressing security flaws and
addressing them swiftly," he said.
Oracle is "incredibly quick to respond to any security
issue," agreed Rich Niemiec, former president of the
International Oracle Users Group and CEO of TUSC, a
Chicago-based consultancy. "There will always be issues that
arise, given the complexity of the software," but Oracle has
been diligent in finding and fixing them, he said.
According to Litchfield, Oracle told him that patches were
available to fix the problems a few months ago. But the company
appears to be waiting for an updated patching process to become
ready before releasing the fixes, he said.
"It is my opinion that they could have run the old patching
process up until the time that the new patching procedure was
ready. There really is no point in exposing users to unnecessary
risks," he said.
Oracle last week confirmed the existence of the flaws but
refused to provide any further details. A company spokeswoman
said Oracle had fixed the flaws and would issue a security alert
"Security is a matter we take seriously at Oracle, and while
we stand firmly behind the inherent security of our products, we
are always working to do better," she said.
News of the latest flaws came about two months after Oracle
warned users of a major flaw in its Oracle 11i E-Business Suite
and Oracle Applications 11.0 that could let attackers take
control of the underlying database.
Even so, Oracle's database is by "leaps and bounds" more
secure than competing products, said Don Burleson, president of
Burleson Consulting in Kittrell, N.C., and author of several
books on the security of Oracle products. He said the newly
disclosed flaws are unlikely to pose an immediate threat.
"Litchfield has made it his life's mission to find flaws in
Oracle's technology," Burleson said, adding that most of the
flaws are obscure and not easy to find.