Researchers Take Aim At Oracle Database Security

A month after the Redwood Shores, Calif.-based database giant was criticized for downplaying security issues in a quarterly patch release, researchers from security firm Argeniss announced plans to publish a zero-day vulnerability in Oracle's database products every day for one week in December.

Argeniss' Week of Oracle Database Bugs is part of growing trend by security researchers to create awareness about vulnerabilities by going public with details on how to exploit them. In July, researcher HD Moore ran the Month of Browser Bugs project, and this month a security researcher who goes by the name L.M.H. is highlighting operating-system kernel vulnerabilities.

Argeniss claims to have found zero-day flaws for other database software vendors' products, but it said the volume of Oracle bugs is sufficient to run a yearlong campaign.

"Oracle is 'The Number One Star' when talking about lots of unpatched vulnerabilities and not caring about security," read a post on the Argeniss Web site.

David Litchfield, managing director of U.K.-based Next Generation Security Software and a vocal critic of Oracle's security practices, doesn't think the WoODB is the right way to deal with the problem. Although customer complaints will ultimately spur Oracle to fix the holes, he believes the potential impact of publishing vulnerabilities is too serious.

"I don't agree with it because the mechanism's effectiveness relies on putting Oracle customers at risk," Litchfield said.

Alexander Kornbrust, founder and CEO of Red Database Security, a Neunkirchen, Germany-based database security firm, also disagreed with the practice and said Oracle has improved the security of its products over the past year. Releasing zero-day vulnerabilities makes life difficult and forces database administrators and IT managers to spend valuable time evaluating the impact of the flaws and establishing workarounds, he said.

Oracle has already frozen the codeline of its January Critical Patch Update, which means the earliest that customers can expect a patch is April 2007, according to Kornbrust.

Oracle couldn't be reached for comment.

When it comes to responding to security issues in its products, Oracle has only recently come through the "denial" stage and is still in the "angry" stage, Litchfield said, adding that the vendor has yet to reach the "acceptance" stage when it comes to acknowledging the need to improve its approach to security.

In a paper published this week that compares the security of Microsoft SQL Server with that of Oracle RDBMS, Litchfield concluded that Oracle could improve security in its products by implementing a program like Microsoft's Secure Development Lifecycle (SDL), which promotes securing coding practices.

After SQL Server was plagued by vulnerabilities in 2002, Microsoft stopped development of SQL Server 2005 -- also known as Yukon -- and retrained its programmers with an emphasis on security. The fact that there have been no major security issues reported in SQL Server 2005 suggests that the SDL is a good approach to follow, according to Litchfield.

However, Oracle will have to make more changes to the makeup of its security team to boost its security reputation, Litchfield added. "I think it's going to require fresh blood [and] a younger, more dynamic security team, which understands that security is no longer just about about Department Of Defense standards," he said.