The eye of Oracle's security storm
The company reportedly discovered over 30 vulnerabilities in current and previous versions of Oracle's database applications.
Litchfield spoke to ZDNet UK about the background to his decision to go public with Oracle's problems even though some observers have accused him of being a troublemaker.
Have you been monitoring Oracle's security issues for a while?
There were press reports that I started pointing out Oracle
security flaws once they launched their Unbreakable campaign, but
that's not true. I was looking at Oracle products for security flaws
before then, not just Oracle, but IBM, Microsoft and others. If you
look at their own Oracle security alerts you'll see my name in there
credited as finding various vulnerabilities before then. It probably
came to most people's attention during the Oracle Unbreakable campaign,
simply because that attracted a lot of media attention at the time.
What's the background to your most recent speech, which triggered all this discussion?
This time last year I was set to give a paper at a BlackHat
conference about some flaws. Oracle promised that the patches would be
ready before my talk, but five minutes before I was due to go on they
told me they weren't ready. So I had to throw away my notes and give my
speech off the cuff. Luckily I had enough material to talk about
something else. I took that decision because if I had spoken about the
flaws, I would have exposed customers to risk; I chose not so speak
about it, which was the correct and responsible thing to.
So what happened this time?
This year I was going to be speaking on a new set of Oracle flaws.
In January of this year I found about 34 in all and in March I decided
to use them for my talk at BlackHat, so having informed Oracle they
said again, "Don't worry, they'll be patched." I checked before I made
the speech and once again the patches were not available. This time the
flaws were not integral to the speech, so I was able to speak generally
about PLS/SQL injection, which essentially allows an attacker to inject
their own code to an application which has been written in PSL/SQL, and
get super user privileges. What I had intended on doing was
illustrating it with a real-world example, but because they hadn't
fixed their patches, I spoke about the generic issues, and I didn't
actually mention the specific flaws.
Are the flaws generic database issues, or more Oracle-specific?
There are some generic issues with these flaws, but some are extremely
Oracle-specific, and most I would class as critical. One allows an
attacker without a user ID and password to get complete control of the
database remotely, so if the Oracle database firewall can be bypassed,
then the server can be owned by an attacker. The other flaws allow low
level guest users to get complete control of the database -- so these
are critical. Some are denial of service; for some people if they are
processing millions of pounds an hour then denial of service becomes
critical.
Did you approach The Wall Street Journal with the story?
No. After I presented my talk, David Banks with The Wall Street
Journal was one of the journalists who approached me after. In a sense
all software has flaws, it's nothing new, but what has kicked up a
storm is that these patches have been ready for months, yet Oracle has
sat on them.
Why do you think the patches were delayed?
The reason they haven't delivered those patches is because they are
updating their patch delivery process. Of course it's good to
streamline their patch process mechanism but you have to keep running
the old one until the new one is ready. I don't have a problem with a
company taking ten months to a year patching, providing they are making
the best effort to make a robust patch -- but I am against people
sitting on patches for a couple of months once they're actually
written. Oracle could learn a few lessons from the Microsoft approach.
Does this batch of problems merit the attention they're getting?
I have described all this as a storm in teacup, as all software has
flaws, but if you say your product is unbreakable, perhaps it isn't. To
market your products as unbreakable is flawed, but to sit on patches --
well, I don't see Oracle's customers getting any benefit from that.
Oracle has not tried to contact me, but one would assume that it would
have caused them a headache, but if their customers are going to be
protected sooner than they would have otherwise have been, that's a
worthy sacrifice. If people want to label me as a troublemaker, so be
it, as long as customers are protected. I think I've acted responsibly;
I protected them when they failed to provide patches they had said they
would provide. I have given Oracle a bit of a headache because they've
got to release the patches more quickly than they had planned to.
What should IT managers do about them?
It's important that people approach this calmly, and they need to
do a proper security review, think about designing and configuring
their servers on the principal of least privilege, so if a user doesn't
need the functionality, you don't give them access to it. Employing the
principle of least privilege will help alleviate a lot of these issues.
Install those patches on test systems, make sure they work, and then
get them on to production systems. People have to patch quickly.
ZDNet UK's Michael Parsons reported from London.