Unpatched Holes Keep AddingBy Paul F. Roberts | Posted 09-16-2005
On Security, Is Oracle the Next Microsoft?
Oracle's acquisition of PeopleSoft and Retek for more than $11 billion in recent months, together with the planned purchase of Siebel for $5.88 billion, will transform the company into an enterprise software giant.
But there are signs of danger ahead for the Redwood Shores, Calif. company as reports of a backlog of unfixed software holes and buggy product patches cause some to wonder whether the database software pioneer is headed for a security crisis.
In the last year, Oracle Corp. was muddied by a series of mishaps and missteps that include faulty product patches and withering criticism from independent security researchers, who charge that the company lacks security discipline.
The company's senior security officer defends Oracle's ongoing work to improve the security of its products. But experts are concerned that Oracle lacks a coherent plan to make all its products more secure.
In July, Oracle was forced to fix an already released software patch after security researcher David Litchfield of NGS Security Software Ltd. in Surrey, U.K., discovered that a database patch it released in April didn't properly install fixed files on machines that were vulnerable.
In August, Litchfield stung Oracle again with an analysis of the company's OPatch utility, which he said gave Oracle customers the impression that their servers were adequately patched, when they often were not.
Speaking with eWEEK Magazine, Oracle CSO Mary Ann Davidson admitted that the company had a problem with one of 100 issues that it fixed in its most recent quarterly Critical Patch Update (CPU).
Davidson admitted that the company did not adequately check to make sure that the patch components were installed correctly on Oracle systems where the patch was applied.
The company has addressed the problem by having Davidson's security group test outgoing patches before they are shipped. In the long term, Oracle will implement a full test suite to evaluate product patches.
Oracle has also come under fire for its slow response to security holes that are discovered by independent security researchers.
In July, Alexander Kornbrust, CEO of Red-Database-Security GmBH in Neunkirchen, Germany, published advisories for six, unpatched holes in Oracle Forms and Oracle Reports, including one "high risk" hole that was more than two years old and could be used by a remote attacker to overwrite files on an Oracle application server with nothing more than a Web url.
Kornbrust said he released the advisories after becoming impatient with Oracle's slow response.
In e-mail and phone conversations with eWEEK, he painted a picture of a company that does not communicate well with outsiders and seems reluctant to take responsibility for flaws in its products.
"You send an e-mail to Oracle. The same day you get an answer that they're looking into problem, but then nothing happens," he said.
Kornbrust said he has information on many, critical bugs that are more than two or three years old.
The same is true at Argeniss Information Security in Argentina, where founder and CEO Cesar Cerrudo said his researchers have discovered many buffer overflow and SQL injection holes on Oracle database functions that are accessible to any database user, in addition to holes that could be exploited in remote attacks that don't require the attacker to log in to the database and could be used to crash a database server.
"Some of these holes are very easy to find, so I don't know why Oracle hasn't patched them," Cerruda said.
Next Page: Unpatched holes keep adding up.
Unpatched Holes Keep Adding
Even more troubling, Argeniss researchers are finding known, unpatched holes stretching from Oracle's older 8i database through its latest 10g release, he said.
Davidson acknowledged that the company has a backlog of unpatched holes, though she disputed the numbers of holes quoted by researchers.
However, she attributed the build up in patches to the company's shift to the quarterly CPU system, in which Oracle releases a large number of patches on a predetermined date each quarter.
According to Davidson, Oracle moved into the new quarterly CPU release schedule slowly and conservatively, causing the number of unfixed vulnerabilities to rise.
Starting in October, Oracle will "substantially increase" the number of fixes it releases each quarter to try to work through the backlog, she said.
Davidson has also taken a public stand against researchers like Litchfield and Kornbrust, who she says exaggerate the dimensions of security problems to get attention and expose innocent customers to unnecessary danger by revealing product holes.
"Good news doesn't sell," Davidson said, in response to a question about Litchfield's criticism of the OPatch utility.
While she acknowledges that some of the criticism from Litchfield and others is valid, outsiders aren't privy to the 75 percent of product holes that Oracle discovers and fixes internally.
Outsiders also underestimate the difficulty of transferring fixes to the different platforms and product versions that Oracle supports.
Davidson cited internal measurements that the company has reduced the time and expense of applying patches by 60 to 80 percent between the April and July CPUs, and that the company is receiving far fewer support calls following a patch release.
But those outside the company worry that Oracle has not embraced security as whole-heartedly as Microsoft, which has developed company-wide systems, processes and architectures for improving the security of its products.
"From an architectural standpoint, Microsoft is ahead," said Jon Oltsik, a senior analyst at Enterprise Strategy Group, in Milford, Mass.
"Oracle is doing a good job of addressing security in its products, but they haven't figured out how security fits into their internal processes and overall architecture," he said.
Despite its reputation as a security basket case, Microsoft has embraced software security as a central tenant, and has developed a consistent architecture for user authentication and access control, as well as product patch creation and distribution, he said.
Technologies like Active Directory and the Kerberos network authentication protocol are used consistently throughout Microsoft's product suite, whereas Oracle products frequently use different technologies for access control and user management.
"Right now, Microsoft has a better story on that," Oltsik said. The story is similar with product updates, though Oracle has made strides to streamline patch distribution with its CPU program, experts agree.
Next Page: Can developers be relied on to test security?
Can Developers be Relied
On to Test Security?">
"In my opinion, Oracle doesn't have enough people (working on) security. They have so many different products," said Kornbrust.
According to Davidson, Oracle developers carry most of the weight of fixing security holes in their code, with so-called "bug handlers" from Davidson's group dealing directly with developers when questions arose about a particular fault.
Members of Davidson's group, or Davidson herself, occasionally "ride in on a broom" to staff meetings when questions arise about product security, or to enforce the company's policy on secure coding, she said.
But relying on developers creates problems when those developers lack security expertise, said Kornbrust, who claims to be a former employee of Oracle in Germany and Switzerland.
"They're just normal developers, and it's difficult to test your own product," he said.
Individual developers also have too much leeway to decide, unilaterally, whether or not a problem is a security risk, Kornbrust and Cerruda said.
In contrast, Microsoft has established a separate Security Technology & Business Unit that acts as a central security consulting organization for the entire company, said Michael Howard, senior security program manager at Microsoft.
The company has a defined reporting hierarchy and point persons in each product group through which security issues are channeled, he said.
Microsoft is also building security expertise within each product group, using events like the recent "Blue Hat" gathering, in which hackers were brought in from outside to show Microsoft developers how they attack their code.
The company also relies heavily on automated scanning tools to spot security holes in computer code and on threat modeling technology that can spot potentially vulnerable features before they are even written, Howard said.
For example, the company shelved a planned Windows Update feature for its upcoming Vista release after threat modeling tools flagged the planned feature as a security risk.
"Five years ago, that feature would have been built, but two weeks from shipping, somebody would have said, 'What's that? We can't do that!' to a feature we spent 10,000 person hours building, documenting and shipping," Howard said.
Speaking with eWEEK, Davidson said that she is not a "policy fanatic," but that her group tries to enforce the company's security policies consistently across product groups and raise awareness of security best practices through "hack of the week" exercises that use real examples of security holes in Oracle products and mandatory online security training for developers.
Automated tools help, but put ultimate responsibility on developers and managers to improve the security of the company's products, Davidson said.
"(Automated tools) won't cure bad attitudes," she said.
"Oracle isn't nearly as far down the evolutionary path as Microsoft," said Ted Julian, vice president of marketing for Application Security Inc., of New York.
"You're talking about a complete change in how (Microsoft) thinks about securitytop to bottom," he said.
Part of the reason may be that Microsoft's products, like Windows and Internet Explorer, have long been a target of inexperienced hackers.
On the other hand, compromising the far fewer number of sophisticated and well-defended Oracle products is less frequent and requires much more skill, Julian said.
Still, Oracle has a long and hard development effort ahead of it to get their product groups integrated with one security architecture, Oltsik said.
"They need to double their commitment (to security) and standardize it across all their products and acquisitions," he said.
Like Microsoft, Oracle has to develop systems and processes for communicating with outside researchers, and figure out a way to push critical fixes out to customers quickly, rather than sitting on them or waiting for a quarterly patch release, said Julian.
"The last thing Oracle needs is a reputation of being insecure or arrogant about security," he said.
Still, the problems facing Oracle may not be so different from those facing other major database vendors, including IBM and Microsoft, itself, Julian said.
"I think the industry as whole is getting its arms around the fact that database security is a big deal. They know they need to do something about this, but they're not sure what, or how and in what order, he said.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.