Oracle security basher found to have ties to
this article, noted Oracle-basher David Litchfield has financial ties to
Microsoft Corporation, leading some to question motives and
"After this story was published, the reporter asked David
follow-up questions about ties to Microsoft and Oracle upon
learning that Microsoft was a customer of NGS Software."
Litchfield's company's financial ties to Microsoft are not
surprising to me, given his claims that a Windows-based
database has "solved" security issues that he claims that Oracle
somehow cannot overcome:
"While dissing Oracle, Litchfield is cheerleading for
Microsoft. He has publicly stated that SQL Server 2005, the
latest version of Microsoft's database software, is secure. This
must hurt at Oracle, a Microsoft arch rival, which has already
seen a significant piece of the database market go to the
Redmond, Wash.-based software giant. . .
SQL Server 2005 is secure. (Microsoft has) solved the
This article describes how to do SQL injection attacks in SQL
chief of security has also noted a concern about putting Oracle
customers at-risk, for what appears to be publicity:
"In reality, when a researcher puts customers at risk by
releasing exploit code for a vulnerability before the vendor has
had a chance to fix it, it's ridiculous to expect the vendor to
say, "Thank you for putting our customers at risk."
As author of "Oracle Privacy Security Auditing", I'm concerned
about Litchfield's "sky is falling" hyperbole about exploits about
Oracle, many of which were exaggerated, such as Oracle exploits that
require insider access (and thus presented no real threat from the
this note where Oracle found his "workaround" to be inept, and
actually "break" Oracle, discrediting this workaround.
“Oracle was notified
of the workaround before it was released, but has found it
"inadequate," said Duncan Harris, Oracle's senior director of
security assurance. It will break a large number of E-Business Suite
applications, he said.
"We know it will
break a number of Oracle products higher in the stack than the
Oracle Application Server that the vulnerability exists in," Harris
Putting Oracle customers at-risk?
Evidently, Oracle Corporation also has "issues" with profiteer security
companies who threaten disclosures that might aid criminals:
"Many researchers think that
the more vulnerabilities they
disclose publicly, the more
vendors will hire them as
Some engage in
explicit threats ("Pay me $X or
sell this to iDefense") or
implicit threats ("Fix it in the
next three weeks because I am
giving a paper at Black Hat")."
Oracle goes on to criticize these security
advisors, claiming that they actually perform a disservice to the
Oracle community by exploiting the internals of vulnerabilities and
"By just revealing
what he has in this workaround, it definitely is a very strong
starting point for any malicious hacker... to try and understand the
vulnerability and produce an exploit," Harris said.
"Yes, we are
clearly disappointed that he felt the need to say anything about
this vulnerability before we had a patch available."
A dangerous thing to do?
Plus, many Oracle security experts suggests that the publication
of "real" exploits constitutes
aiding and abetting criminals, and
Oracle Corporation recently
chided some security experts as being "selfish", "irresponsible"
and "dangerous" for openly publishing instruction on how-to hack
into Oracle databases:
"A few hours after
Litchfield went public with a technical description of the flaw,
including a blow-by-blow demonstration of ease in which an
attack could occur, Oracle lashed back, accusing the British
researcher of putting its customers at severe risk for selfish,
Even as he downplayed
the severity of the flaw, Harris said Litchfield's decision to
go the way of "irresponsible disclosure" was a "dangerous thing