The eye of Oracle's security storm

David Litchfield, managing director of UK security software firm Next-Generation Security Software, found himself in the eye of a media storm after he pointed out some security flaws in Oracle's core database software at the Black Hat Security Briefings in Las Vegas last week.

The company reportedly discovered over 30 vulnerabilities in current and previous versions of Oracle's database applications.

Litchfield spoke to ZDNet UK about the background to his decision to go public with Oracle's problems even though some observers have accused him of being a troublemaker.

Have you been monitoring Oracle's security issues for a while?
There were press reports that I started pointing out Oracle security flaws once they launched their Unbreakable campaign, but that's not true. I was looking at Oracle products for security flaws before then, not just Oracle, but IBM, Microsoft and others. If you look at their own Oracle security alerts you'll see my name in there credited as finding various vulnerabilities before then. It probably came to most people's attention during the Oracle Unbreakable campaign, simply because that attracted a lot of media attention at the time.

What's the background to your most recent speech, which triggered all this discussion?
This time last year I was set to give a paper at a BlackHat conference about some flaws. Oracle promised that the patches would be ready before my talk, but five minutes before I was due to go on they told me they weren't ready. So I had to throw away my notes and give my speech off the cuff. Luckily I had enough material to talk about something else. I took that decision because if I had spoken about the flaws, I would have exposed customers to risk; I chose not so speak about it, which was the correct and responsible thing to.

So what happened this time?
This year I was going to be speaking on a new set of Oracle flaws. In January of this year I found about 34 in all and in March I decided to use them for my talk at BlackHat, so having informed Oracle they said again, "Don't worry, they'll be patched." I checked before I made the speech and once again the patches were not available. This time the flaws were not integral to the speech, so I was able to speak generally about PLS/SQL injection, which essentially allows an attacker to inject their own code to an application which has been written in PSL/SQL, and get super user privileges. What I had intended on doing was illustrating it with a real-world example, but because they hadn't fixed their patches, I spoke about the generic issues, and I didn't actually mention the specific flaws.

Are the flaws generic database issues, or more Oracle-specific?
There are some generic issues with these flaws, but some are extremely Oracle-specific, and most I would class as critical. One allows an attacker without a user ID and password to get complete control of the database remotely, so if the Oracle database firewall can be bypassed, then the server can be owned by an attacker. The other flaws allow low level guest users to get complete control of the database -- so these are critical. Some are denial of service; for some people if they are processing millions of pounds an hour then denial of service becomes critical.

Did you approach The Wall Street Journal with the story?
No. After I presented my talk, David Banks with The Wall Street Journal was one of the journalists who approached me after. In a sense all software has flaws, it's nothing new, but what has kicked up a storm is that these patches have been ready for months, yet Oracle has sat on them.

Why do you think the patches were delayed?
The reason they haven't delivered those patches is because they are updating their patch delivery process. Of course it's good to streamline their patch process mechanism but you have to keep running the old one until the new one is ready. I don't have a problem with a company taking ten months to a year patching, providing they are making the best effort to make a robust patch -- but I am against people sitting on patches for a couple of months once they're actually written. Oracle could learn a few lessons from the Microsoft approach.

Does this batch of problems merit the attention they're getting?
I have described all this as a storm in teacup, as all software has flaws, but if you say your product is unbreakable, perhaps it isn't. To market your products as unbreakable is flawed, but to sit on patches -- well, I don't see Oracle's customers getting any benefit from that. Oracle has not tried to contact me, but one would assume that it would have caused them a headache, but if their customers are going to be protected sooner than they would have otherwise have been, that's a worthy sacrifice. If people want to label me as a troublemaker, so be it, as long as customers are protected. I think I've acted responsibly; I protected them when they failed to provide patches they had said they would provide. I have given Oracle a bit of a headache because they've got to release the patches more quickly than they had planned to.

What should IT managers do about them?
It's important that people approach this calmly, and they need to do a proper security review, think about designing and configuring their servers on the principal of least privilege, so if a user doesn't need the functionality, you don't give them access to it. Employing the principle of least privilege will help alleviate a lot of these issues. Install those patches on test systems, make sure they work, and then get them on to production systems. People have to patch quickly.

ZDNet UK's Michael Parsons reported from London.