Oracle Issues a Whopping 82 Patches
Security Fix recently ran an analysis of how long Microsoft takes on average to issue a fix for a security flaw once it is notified of the problem. That analysis took roughly six weeks to complete and to report, and shortly after we ran it I began looking into similar data on other major software providers, including Apple (as was leaked earlier this week), Mozilla and Oracle Corp. More details about those companies' time-to-patch history is forthcoming.
Given the time-consuming but relatively painless experience of gathering data published by those three companies, I was wholly unprepared for the challenge that would confront me collecting the same data from Oracle, quite possibly the largest provider of database software that stores invaluable customer and corporate information for thousands of major businesses worldwide.
Part of the problem is the sheer number of fixes to wade through (to say nothing of the complexity of their advisories.) On Tuesday, Oracle issued a quarterly "critical patch update" that includes at least 82 patches to fix an unspecified number of vulnerabilities in its products. Several of them, researchers said, could with minimal effort be exploited by attackers to gain access to or complete control over affected Oracle database products.
If you think 82 patches over a four-month period is excessive (Microsoft issued 55 last year for all of its software products), consider that Oracle issued 88 patches with its previous quarterly update in October.
For many of the security researchers who discover and report those flaws to Oracle, the most galling data point is how long it can take the company to ship fixes to correct serious security holes. Eight of the flaws addressed in Tuesday's patch bundle were reported by Alexander Kornbrust, a former Oracle employee and founder of Red-Database-Security GmBH. Kornbrust said he alerted Oracle to three of them more than two years ago, and that the company has yet to address at least 23 other flaws he's reported.
"I know that fixing security in large organizations isn't always easy, so anything fixed at a company the size of Oracle [in] three to nine months is from my perspective acceptable," Kornbrust said. "Nine months certainly is not ideal, a company should be able to fix any bug in that time frame."
David Lichtfield of NGS Software, a British company that has reported dozens of vulnerabilities to Oracle and other software vendors over the past few years, said Tuesday's Oracle rollup fixed just two problems the company reported. Lichtfield said Oracle still has not addressed some 38 other issues NGS reported -- many of which he said involve security issues on multiple Oracle software platforms.
"Some of these [problems fixed in Tuesday's release] are over two years old -- some were reported in [October 2005]" Lichtfield said in an e-mail response to me. "One problem I'm disappointed they didn't fix in this patchset is an issue that allows attackers without a userID or password to gain full ... control of a database server. ... This problem is so severe I would have thought they would have given it priority -- but the fact that it's not been patched says otherwise."
Eleven of this month's patched vulnerabilities were reported by Argeniss, an Argentinian security research company. Argeniss reported all of 11 of those flaws to Oracle in late February 2005, and Oracle still has to address 76 other vulnerabilities Argeniss reported, some nearly two years ago, according to Argeniss researcher Esteban Martinez Fayo.
Oracle spokeswoman Rebecca Hahn said the company was checking on the claims made by the researchers mentioned in this post. But she said Oracle typically places the most emphasis on fixing the most serious problems it knows about. As an example, she pointed to a patch issued Tuesday to cover a "severe flaw" in a number of its products reported in November by Foster City, Calif.-based security firm Imperva.
Interestingly enough, Imperva's advisory on that flaw takes Oracle to task for taking as long as it did (less than three months) to fix it, given the seriousness of the vulnerability and the number of company databases potentially at risk.
"During that time there was no recommended workaround for this undisclosed and unpatched vulnerability," the advisory reads. "While the complexity of modern database platforms may necessitate such delays they are not acceptable for companies who rely on databases to run their business. Databases hold the crown jewels of any organization and with the Web connecting customers, partners and remote employees to these databases, they are more exposed than ever."
I have to concur, to a degree: While late last year someone released computer code for an Internet worm designed to attack Oracle database weaknesses, the most likely scenario for an attacker would be a far less noisy assault, one that does not draw attention to the fact that attackers are bleeding the targeted company's database dry.
Hence, if there are widespread attacks against Oracle database servers, it is unlikely most people will ever hear about them -- that is, until an affected company is forced through various state data-breach notification laws to go public with a few details (none of which are likely to include the affected hardware or software.)
There are other reasons that conducting a longitudinal study of Oracle time-to-patch data could be tricky. For one thing, Oracle generally does not provide much data about patches that can be linked to external advisories (such as a CVE number or bug number).
One exception is when Oracle issues fixes for "public vulnerabilities," which include those that security researchers publish on their own or in cooperation with the release of an Oracle patch. The other is when Oracle fixes a flaw in something based on open-source software, such as the Apache Web server.
That's in part, I suspect, because the company finds more than 75 percent of the flaws itself, or at least according to Oracle chief security officer Mary Ann Davidson.
Still, that statement alone has some potentially significant implications. If we consider that Oracle finds more than 75 percent of flaws in-house, and the total number of the unpatched bugs reported to Oracle just by the above-mentioned security researchers is 137, how many flaws has Oracle uncovered in-house that it still hasn't fixed? Not sure I'll get the answer from Oracle, but at least I have asked the question.
The comments to this entry are closed.