Oracle taken to task for time to fix vulnerabilities

'Fell through the cracks'


Claiming that Oracle has failed to fix six vulnerabilities despite having more than 650 days to issue a patch, researchers at security firm Red Database Security published details of the flaws on Tuesday.

The flaws vary in severity with three of the six classified by the firm as high risk, potentially allowing a remote attacker to compromise a server or overwrite files, according to advisories released by Red Database.

"Oracle's behavior (in) not fixing critical security bugs for a long time - over 650 days - is not acceptable for their customers," Alexander Kornbrust, CEO and principal researcher with the Neunkircher, Germany-based consultancy, said in the prologue to each advisory. "Oracle put their customers in danger - at least one critical vulnerability can be abused (by) any attacker via the Internet."

The public release of the advisories - along with instructions outlining techniques to exploit all but one of the flaws - marks the latest incident between independent security researchers and software companies, two groups frequently at odds over when, or even if, to disclose vulnerabilities.

In April, a showdown between database maker Sybase and flaw finders ended when the company allowed vulnerability researchers to release details of several flaws that had already been patched. At the CanSecWest conference in May, Microsoft presented details of how the company deals with flaws in an attempt to gain sympathy from independent security researchers.

In this case, Oracle did not address the criticism nor the flaws directly, but instead commented on how the information about the unpatched vulnerabilities was released.

"We believe the most effective way to protect customers is to avoid disclosing or publicizing vulnerabilities before a patch or workaround has been developed," the company said in a statement. "We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available."

Red Database Security told Oracle of the flaws between July and September of 2003, according to the security firm's advisories. The company communicated with Oracle about the issues and, three months ago, gave the database maker until the July quarterly patch to fix the issues.

Oracle moved to a quarterly patch cycle almost a year ago and, in its July update, did not fix any of the vulnerabilities about which the security company had warned, according to Red Database.

"I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories," Red Database's Kornbrust said in the explanation introducing each flaw report. The reports were posted to the company's Web site, to the Full-Disclosure mailing list, and to the BugTraq mailing list, which is operated by SecurityFocus.

The high-severity flaws occur in the Oracle Forms and Oracle Reports components included in various versions of Oracle's Application Server and could allow an attacker to execute program code. Another flaw, also in Oracle Reports, could allow an attacker to overwrite files on the targeted server. The three remaining flaws are of lesser severity, according to Red Database.

Considering that at least one issues could be used to compromise Oracle databases remotely, the time taken to patch the issue is extreme, said Steve Manzuik, security product manager for security software maker eEye Digital Security.

"I have never seen any take this long," Manzuik said. "It is odd to go that long. In this case, I think something fell through the cracks. There may have been a miscommunication somewhere."

eEye also keeps track of the length of time it takes for a vendor to respond to its own flaw reports. The longest time any software maker has taken in about 370 days, Manzuik said.

Oracle restated its commitment to security in its statement.

"Security is a matter we take seriously at Oracle and our first priority is meeting customer needs and reducing their risk," the company said. "When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems."

Some researchers have argued that the increasing sophistication of binary analysis tools may make the disclosure debate a moot issue. Yet, disclosure of vulnerability information before a patch is available can have real financial consequences for a company.

A recent academic paper statistically linked flaw disclosure and a drop in the affected software company's stock price. The drop averaged 0.63 per cent, but in cases when a patch is not available, the average stock price dropped 1.5 per cent.

Oracle's stock price edged up 0.3 per cent on Tuesday, but fell 0.6 per cent in after-hours trading.

Copyright © 2005, SecurityFocus logo

Related stories

Oracle snaps up security firm
Oracle moves to quarterly patch cycle
Oracle's first monthly patch batch fails to placate critics


Other stories you might like

  • Moscow court fines Pinterest, Airbnb, Twitch, UPS for not storing data locally
    Data sovereignty is more important than Ukrainian sovereignty

    A Moscow court has fined Airbnb, Twitch, UPS, and Pinterest for not storing Russian user data locally, according to Russian regulator Roskomnadzor.

    The decision was handed down by the Tagansky District Court of Moscow after the four foreign companies allegedly did not provide documents confirming that the storage and processing of Russian personal data was conducted entirely in the country.

    Twitch, Pinterest and Airbnb were fined approximately $38,500 while UPS received a fine of roughly $19,200.

    Continue reading
  • Israel plans ‘Cyber-Dome’ to defeat digital attacks from Iran and others
    Already has 'Iron Dome' – does it need another hero?

    The new head of Israel's National Cyber Directorate (INCD) has announced the nation intends to build a "Cyber-Dome" – a national defense system to fend off digital attacks.

    Gaby Portnoy, director general of INCD, revealed plans for Cyber-Dome on Tuesday, delivering his first public speech since his appointment to the role in February. Portnoy is a 31-year veteran of the Israeli Defense Forces, which he exited as a brigadier general after also serving as head of operations for the Intelligence Corps, and leading visual intelligence team Unit 9900.

    "The Cyber-Dome will elevate national cyber security by implementing new mechanisms in the national cyber perimeter, reducing the harm from cyber attacks at scale," Portnoy told a conference in Tel Aviv. "The Cyber-Dome will also provide tools and services to elevate the protection of the national assets as a whole. The Dome is a new big data, AI, overall approach to proactive defense. It will synchronize nation-level real-time detection, analysis, and mitigation of threats."

    Continue reading
  • Intel to sell Massachusetts R&D site, once home to its only New England fab
    End of another era as former DEC facility faces demolition

    As Intel gets ready to build fabs in Arizona and Ohio, the x86 giant is planning to offload a 149-acre historic research and development site in Massachusetts that was once home to the company's only chip manufacturing plant in New England.

    An Intel spokesperson confirmed on Wednesday to The Register it plans to sell the property. The company expects to transfer the site to a new owner, a real-estate developer, next summer, whereupon it'll be torn down completely.

    The site is located at 75 Reed Rd in Hudson, Massachusetts, between Boston and Worcester. It has been home to more than 800 R&D employees, according to Intel. The spokesperson told us the US giant will move its Hudson employees to a facility it's leasing in Harvard, Massachusetts, about 13 miles away.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading
  • Intel’s CEO shouldn’t be surprised America can’t get CHIPS Act together
    Silicon supremo warns he could prioritize expansion in Europe if Congress doesn’t approve subsidies

    Comment How serious is Intel about delaying the build-out of its planned $20 billion mega-fab site in Ohio?

    It turns out very serious, as Intel CEO Pat Gelsinger made clear on Tuesday, less than a week after his x86 giant delayed the groundbreaking ceremony for the Ohio site to show its displeasure over Congress' inability to pass $52 billion in subsidies to fund American semiconductor manufacturing.

    In comments at the Aspen Ideas Festival yesterday, Gelsinger warned Intel would prioritize building factories in Europe over the US if Congress fails to act on the long-stalled chip subsidies bill.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • City-killing asteroid won't hit Earth in 2052 after all
    ESA ruins our day with some bad news

    An asteroid predicted to hit Earth in 2052 has, for now, been removed from the European Space Agency's list of rocks to be worried about.

    Asteroid 2021 QM1 was described by ESA as "the riskiest asteroid known to humankind," at least among asteroids discovered in the past year. QM1 was spotted in August 2021 by Arizona-based Mount Lemmon observatory, and additional observations only made its path appear more threatening.

    "We could see its future paths around the Sun, and in 2052 it could come dangerously close to Earth. The more the asteroid was observed, the greater that risk became," said ESA Head of Planetary Defense Richard Moissl. 

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • How can we make the VC world less pale and male, Congress wonders
    'Combating tech bro culture' on the agenda this week for US House committee

    A US congressional hearing on "combating tech bro culture" in the venture capital world is will take place this week, with some of the biggest names in startup funding under the spotlight.

    The House Financial Services Committee's Task Force on Financial Technology is scheduled to meet on Thursday. FSC majority staff said in a memo [PDF] the hearing will focus on how VCs have failed to invest in, say, fintech companies founded by women and people of color. 

    We're told Sallie Krawcheck, CEO and cofounder of Ellevest; Marceau Michel, founder of Black Founders Matter; Abbey Wemimo, cofounder and co-CEO of Esusu; and Maryam Haque, executive director of Venture Forward have at least been invited to speak at the meeting.

    Continue reading

Biting the hand that feeds IT © 1998–2022