Oracle security claim to be debunked – expert

Can Ellison redefine 'unbreakable' in time?


An Oracle advertisement emailed last week to InfoWorld subscribers typifies the software company's newest marketing campaign. It begins with the unsettling assertion that annual computer security incidents have increased ten-fold since 1997, then lists the ways that the company's database products can defend the reader against hackers. The ad ends with a now-familiar claim, "Oracle9i. Unbreakable. Can't break it. Can't break in."

That simple bold message of invulnerability has grown into something of an IT cultural touchstone since Oracle CEO Larry Ellison unveiled the campaign at Comdex last November. The "unbreakable" claim is writ large on billboards, sent out in email ads, printed in the glossy pages of magazines, and displayed on Web banners. Type "unbreakable" into Google and a sponsored link to Oracle is likely to pop up on top. The campaign seems to touch a chord, implicitly promising safety from unseen attackers, and certainty in an uncertain time.

If the marketing message suffers from one flaw, it is this: It isn't exactly true. In December, U.K. security researcher David Litchfield revealed that a common programming error -- a buffer overflow -- was present in Oracle's application server, potentially allowing hackers to gain remote access to the system over the Internet. PenTest Limited and eEye Digital Security followed up with advisories of their own on less severe holes. Fixes are available for all three bugs on the Oracle Web site, but the damage to the company's "unbreakable" messaging isn't as easily patched.

"If to them 'unbreakable' doesn't even mean they eliminate buffer overflows, how can it possibly mean they've secured the hard stuff?," says Bruce Schneier, founder and CTO of Counterpane Internet Security. "Fixing buffer overflows is the price of admission."

Making matters worse for Oracle, it turns out that those holes were little more than a prelude to a suite of at least seven vulnerabilities currently in the company's patch pipeline -- all of them discovered by Litchfield last fall. Assuming fixes are available in time, Litchfield plans to present the holes at a security conference in early February, including details of serious bugs that allow attackers to both "break it" and "break in."

"They range from buffer overflows, to something in the way Oracle communicates with different components," says Litchfield, lead designer and developer at NGSSoftware. "We can actually interject ourselves in between that communications process and run commands as SYSTEM on Windows NT or 2000. If it's running on a Unix system, we can run commands as the Oracle user remotely... So it's obviously very serious."

While Oracle's vulnerabilities are no greater in number or severity than those found in other major software products, some experts charge that the steady stream of security holes transforms "unbreakable" from a harmless marketing gimmick into a potentially dangerous misstatement.

"The more people out there saying they have an unbreakable product, it gives customers a false sense of security," says David Dittrich, senior security engineer at the University of Washington. "I'd rather they boast about having a good programming team, or a good auditing process."

'Obvious' Hole in Database Server

"We all know it's breakable," says Tim Mullen, CIO of AnchorIS.Com, and a columnist for SecurityFocus. Mullen broke the news of the latest batch of Oracle holes in a recent column critical of the company. "The only people who don't know it's breakable, apparently, are Ellison, and the reportedly high numbers of businesses that have now chosen to purchase the product as a result of the 'Unbreakable' campaign," Mullen says.

But Oracle chief security officer Mary Ann Davidson says the criticism is unfair. In an emailed response to Mullen's commentary, Davidson wrote that Oracle is giving the holes reported by Litchfield the "highest priority," but suggested that everything depends on what your definition of "unbreakable" is.

Rather than representing a literal claim that Oracle's products are impregnable, the campaign "speaks to" fourteen independent security evaluations that Oracle's database server passed, Davidson wrote, and "represents Oracle's commitment to a secure product lifecycle for our entire product suite."

"We believe the market effect of the 'Unbreakable' campaign raises the security bar and therefore improves security overall, both in forcing us to live up to the statement, and forcing others in the industry to begin to do the same," wrote Davidson. "If our security today is imperfect but better than the competition, and if customers make a buying decision based on that criteria, than in the long term you will see all products in the market improve."

A company spokesperson declined to discuss any particular security holes, or how they can be reconciled with Oracle's "Unbreakable" and "Can't break in" claims. But in a written statement, the company emphasized that Oracle responds quickly to close newly-discovered vulnerabilities -- an assessment with which Litchfield agrees.

"The Oracle database server itself runs on some sixty odd different operating systems," says Litchfield. "They have to test each different operating system. A couple of months is a speedy response."

Litchfield discovered the slew of vulnerabilities while developing NGSSoftware's Oracle security scanner, planned for release next month. He issued an advisory on one of the holes in December, after Oracle made a fix available. Details on the other, more serious holes remain a closely held secret pending more patches, which Litchfield hopes to see the company deliver in time for a presentation he has planned for the Black Hat Windows Security conference in New Orleans on 7 February.

He says he's not aware of any of the holes being actively exploited by hackers, but offers that one of the more serious vulnerabilities has been in every revision of Oracle's database server since at least Oracle 8, which was released in 1999. "When this information goes public, you'll go, 'Oh my God, that's so obvious, why didn't anybody think of that before?," says Litchfield.

Litchfield says he isn't bothered by Oracle's "Unbreakable" claim -- he's satisfied with Davidson's explanation that the campaign is really just meant to underscore the software's lineup of security certifications. But Schneier, and other experts, say that security is too serious to be made the stuff of exaggerated marketing claims.

"I don't like it when marketing jargon takes over reality," says Schneier. "The word 'unbreakable' has a meaning in English. When they say their software is unbreakable, they're lying."

© 2001 SecurityFocus.com All rights reserved.


Other stories you might like

  • Microsoft Azure to spin up AMD MI200 GPU clusters for 'large scale' AI training
    Windows giant carries a PyTorch for chip designer and its rival Nvidia

    Microsoft Build Microsoft Azure on Thursday revealed it will use AMD's top-tier MI200 Instinct GPUs to perform “large-scale” AI training in the cloud.

    “Azure will be the first public cloud to deploy clusters of AMD's flagship MI200 GPUs for large-scale AI training,” Microsoft CTO Kevin Scott said during the company’s Build conference this week. “We've already started testing these clusters using some of our own AI workloads with great performance.”

    AMD launched its MI200-series GPUs at its Accelerated Datacenter event last fall. The GPUs are based on AMD’s CDNA2 architecture and pack 58 billion transistors and up to 128GB of high-bandwidth memory into a dual-die package.

    Continue reading
  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022