Is Oracle in denial about security?

Is Oracle in denial about security?

Summary: The truth of the matter is, Oracle like everyone else never had unbreakable software and it's starting to look more like they're even more breakable than any other database maker based on the number of vulnerabilities they’ve been having in recent years.

TOPICS: Security

With more than 100 security vulnerabilities plaguing Oracle within the last year and potentially hundreds more yet to be patched, a new report on Oracle's weak authentication scheme by Joshua Wright (deputy director of training at the SANS institute) and Carlos Cid couldn't have come at a worse time.  Last week at the NS2005 SANS conference, Wright revealed some serious weaknesses in Oracle's database authentication scheme, which made Dan Farber wonder if Oracle should still be using the word "unbreakable" to describe their products.  Oracle no longer uses the term "unbreakable", but they've switched to the marketing slogan of "never breaks" which essentially means the same thing and is equally dubious.  The truth of the matter is, Oracle like everyone else never had unbreakable software and it's starting to look more like they're even more breakable than any other database maker based on the number of vulnerabilities they’ve been having in recent years.

Finding password authentication weaknesses seems to be a specialty for Joshua Wright, whose ASLEAP tool earlier last year forced Cisco to admit problems with their LEAP wireless LAN authentication protocol.  In December of 2004, ASLEAP was upgraded with PPTP cracking capabilities which affects common Microsoft and Linux VPN implementations.  Software makers seem to be making the same mistakes over and over again, violating the simplest best practices in password authentication.  Strong password authentication boils down to implementing SSL or its successor TLS to make it practically impossible to do rapid offline dictionary or brute force attacks against password authentication sessions.  The next best thing is to implement a good SALT mechanism that increases cracking complexity by a few orders of magnitude, but Oracle took the shortcut of using the username as the SALT.  This means that hackers can tailor a high speed offline attack against any specific user such as the "system" account which would give administrative privileges to the attacker.

To make things worse, it seems that Oracle has been stonewalling the two researchers and not addressing the issue head on.  Wright and Cid wouldn't be the first researchers to be ignored by Oracle; Alexander Kornbrust has been waiting more than two years to have some of the serious vulnerabilities he discovered addressed.  There seems to be a deep culture of denial that not only afflicts Oracle the company, but many Oracle consultants and administrators.  Every time an embarrassing rash of vulnerabilities comes up in their quarterly mega-patches, attention is deflected elsewhere.  It's gotten common to hear Oracle "experts" say irrelevant things like "Oracle is protected behind a firewall while Microsoft SQL isn't."  Never mind that the issue isn't about Microsoft SQL server or that Microsoft doesn't have nearly as many security problems with their database, being behind a corporate firewall should never be a free pass for application vulnerabilities.  Firewalls typically do nothing to protect against application layer vulnerabilities.  It's time that Oracle takes a good look in the mirror and deal with their problems honestly and thoroughly.  Until they do, the flood of security holes will keep coming and eventually catch up with their reputation.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Fat, dumb and happy

    Having a monopoly means never needing to go the extra mile - so you don't. Eventually everything catches up to you - so make your money fast and get out! Maybe its time for Uncle Larry to sail away into the sunset . . .
    Roger Ramjet
  • The customer is key

    If customers don't ask about the deficiencies, and keep buying the product, then the vendor has no reason to address the issue.

    Once customers start pressing the problem, then Oracle will have to face it. But when stock value is king, it won't happen a second sooner. This is what finally got Microsoft to start putting a broader effort into shoring up their problems. Granted, it wasn't just that customers were vocalizing their concerns, but actually beginning to spend their dollars on alternatives such as Linux, but those actions can still be taken as customer comments.
    • With SQL 2005

      ...having much improved support for clustering, a better security record, and total integration with Visual Studio .NET, built in reporting that rivals crystal reports, and a lower price, Oracle has better get their act together or they may start to lose marketshare.
      • Updating MSSQL is nothing

        You just apply the latest service pack for MS SQL 2000 and you're done as far as updates and patches are concerned. So long as you don't do anything stupid like leave a blank "sa" password or something really easy, you're doing pretty good.
        • I don't remember saying anything...

          ...about updating MSSQL, but I do agree with you. It used to be pain a couple of years ago, but not now.
          • Ah my bad

            I thought you did. My bad.
  • High Barrier to Entry

    I believe one of the main reasons that Oracle products are widely perceived as more secure than the competition, besides their extreme haughtiness, is the (much?) higher barrier of entry. What I mean is, you're not gonna have a second-year college student mucking about with administering the server. So, you have well-trained, experienced DBA's running things, since most of the newbies would be hard pressed to figure out how to reconfigure the server anyway. Which brings me to my next point, even for the common Oracle expert, it is still not trivial to walk through all parts, sections, and options of the entire server product; hence, the vulneribilities were not easily seen, simply cuz it was so hard to look.
    Only now, when the administration tools are much improved, almost on a par with SQLServer (almost, not quite... ok, maybe with what SQLServer was a bunch of years ago... ;-) ) is it possible, or rather easier, to see the vulnerablities being exposed.

    Simply put, "Security by obscurity is not security". You just think it is.

    Avi D

    P.S. I'm pretty sure the same thing will happen with linux (and maybe even standard Unix) within a few years... If management toola actually ever become trivial and intuitive.
    <PLEASE, no anti-MS/anti-linux rants!!>