Oracle Corp. has acknowledged the existence of multiple security holes in its database software and said it plans to issue a security alert shortly. The U.K. security expert who found the holes criticized Oracle's conduct, saying that it has been sitting on patches that would fix the holes for about two months.
David Litchfield, managing director of Next Generation Security Software Ltd. of Sutton, Surrey, claims to have found 34 security vulnerabilities in past and current versions of Oracle's database software, at least one of which could allow a hacker to gain control of a company's database remotely without needing a password.
Litchfield said he notified Oracle of the vulnerabilities in January, and said the company told him two months ago that they had prepared patches to repair them. Oracle has not released the patches, however, because it is in the midst of introducing a new system for distributing security fixes to customers, according to Litchfield, who was critical of the delay.
"The way they should do it is to run the old system (for issuing patches) until the new system is ready for use," he said in a telephone interview from the U.K. Tuesday. "They have not handled this in the best way they could."
Litchfield mentioned the vulnerabilities last week in a presentation at the Black Hat computer security conference in Las Vegas. They were first reported by the Wall Street Journal Tuesday.
Oracle initially would not confirm or deny the vulnerabilities, saying only that it takes security matters seriously. Later Tuesday it appeared to confirm the flaws in a brief statement, but declined any further comment
"Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better. Oracle has fixed the issues discussed in The Wall Street Journal and will issue a Security Alert soon," the statement read.
Oracle prides itself on the security of its database software. Its advertising campaigns have focused on the idea that its database is "unbreakable," and it often talks of its security certifications awarded by U.S. government agencies.
Litchfield declined to discuss the vulnerabilities in detail for fear of aiding hackers who might seek to exploit them. "In generic terms, the issues are buffer overflow vulnerabilities, PL-SQL injection vulnerabilities, and a couple of minor issues -- well, minor depending on how you do your risk assessment -- things like denial of service, passwords in clear text. Basically the whole gamut of vulnerability types."
Until the patches are issued, companies can mitigate risk by following best practices recommended by vendors and consultants, he said, including providing as little access privileges to database users as is practically possible. "One can go a long way to mitigate the risk of these vulnerabilities, but some don't have workarounds," he said.
Litchfield said that about half of the vulnerabilities affect Oracle's newest, 10g database, and that three of them are unique to that database, meaning they don't affect previous versions.
Litchfield is known for releasing the proof-of-concept (or "exploit") code two years ago to help explain the threat caused by a vulnerability in Microsoft Corp.'s SQL Server database. The code was used by hackers as a template to create the Slammer worm, which went on to cause widespread and costly damage.
Litchfield said Tuesday that he has developed similar exploits for the vulnerabilities in Oracle's database, but, after the Slammer experience, he will not be releasing those exploits, he said.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.