Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, January 25, 2006

Zero-day details underscore criticism of Oracle

A security researcher released details of a critical flaw in Oracle’s application and Web software on Wednesday, criticizing the company for not cooperating with the security community and taking too long to fix software issues that threaten its customers.  The flaw occurs in the way that a module in Oracle’s Apache Web server distribution handles input and could give external attackers the ability to take control of a backend Oracle database through the Web server, said David Litchfield, principal researcher of database security firm Next-Generation Security Software, during a presentation at the Black Hat Federal security conference.

The database company should have fixed the issue in the latest critical patch update (CPU), but failed to do so, he said, adding that he believes the flaw is more significant than a privilege escalation issue fixed in less than three months by Oracle in the latest update.

After hearing about the conference presentation, Oracle slammed the researcher for releasing information about the vulnerability, saying that doing so puts its customers in danger.  “We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available,” Duncan Harris, senior director of security assurance for Oracle, said in an interview with SecurityFocus.

At the Black Hat Security Briefings in Las Vegas last summer, networking giant Cisco and network protection firm Internet Security Systems filed suit against a security researcher for disclosing methods to run code on Cisco’s networking hardware.

On Wednesday, he posted a workaround for the vulnerability on SecurityFocus’ BugTraq mailing list.  However, Oracle said that it studied the workaround proposed by Litchfield and found it inadequate.  Other security professionals have also taken Oracle to task for its troubles in effectively handling security researcher and vulnerability disclosure.

http://www.securityfocus.com/news/11371?ref=rss

Posted on 01/25
NewsPermalink