30 security holes in Oracle
Source : http://www.zdnet.co.uk/zdnetuk/news/...9162536,00.htm
Security flaws discovered in Oracle's enterprise database application could in theory affect virtually all financial transactions. However, the company is playing down any potential security risks
Oracle is keeping quiet about allegations that its ubiquitous database has at least 30 security vulnerabilities that could allow hackers to compromise the confidentiality of virtually all financial transactions.
David Litchfield, the MD of UK-based developer Next Generation Security Software, told The Wall Street Journal that he had discovered more than 30 security holes in Oracle's database that could allow hackers to compromise information stored within its records.
Oracle's relational database is used by so many enterprises, financial institutions, public organisations and e-commerce Web sites, that virtually every financial transaction that is conducted will, at some point pass through an Oracle database.
On Tuesday, Oracle refused to speak about the alleged flaws and instead issued a statement that neither confirmed nor denied the allegations. Instead, the company claimed its product was more secure than rival databases from IBM and Microsoft.
"Oracle, of any major software vendor, offers the most widely tested security software with 18 international security evaluations, compared to one evaluation for Microsoft's database and none for IBM," the statement said.
In a statement, Oracle said that "when software security flaws are discovered, Oracle responds as quickly as possible with patches and work-arounds in order to help protect information secured by customers in Oracle-based information systems."
According to the WSJ, Litchfield found problems in the PL/SQL code, which is used by custom applications to communicate with the database. If this code is flawed, administrators may be required to modify all their applications in order to properly secure them.
James Governor, principal analyst at RedMonk, said the flaw could cause a lot of problems for database administrators as Oracle will not be able to simply issue a patch because of the nature of the problem.
"If this is going to affect PL/SQL code, there is an awful lot of home-grown PL/SQL code out there -- it's not a packaged application that Oracle can patch," said Governor.
Governor said that a significant proportion of companies use Oracle for their transactional applications and Oracle has been pitching its database as a solution to an enterprises' security problems for many years.
"Most financial transactions touch an Oracle database somewhere along the line. They have been pitching the idea that Oracle is a more secure database than other environments, and should be used as the heart of security in multiple environments," said Governor.
Governor said Litchfield's comments should be taken seriously because he has been responsible for uncovering security vulnerabilities in the past.
"Litchfield has uncovered significant vulnerabilities in other environments before and has a track record of someone that potentially we should listen to," said Governor.
Source : http://news.zdnet.co.uk/software/app...9162560,00.htm
More than 30 security holes unearthed by a UK researcher will be fixed promptly, says the software firm
Database software maker Oracle promised on Tuesday to quickly make patches available for the more than 30 flaws found by a British security researcher.
While details of the flaws have not been made public, David Litchfield, managing director of security software firm Next-Generation Security Software, gave some general information about the issues at the Black Hat Security Briefings in Las Vegas last week.
"Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better," the company said in a statement sent to ZDNet UK sister site CNET News.com. "Oracle has fixed the issues ... and will issue a security alert soon."
While information about the database flaws was to be released last week, the lack of patches convinced the security researcher to hold off. Litchfield first notified the software company of the problems -- some of which he ranked as critical -- in January.
Litchfield said on Tuesday that although he has repeatedly pointed out the flaws in its database software, Oracle has yet to issue any patches due to an ongoing shift in its corporate policies for releasing such information. The bug hunter added that by waiting to issue the security fixes, the company put itself before its customers.
"There are a whole range of issues," he said. "They're effectively leaving their customers exposed to unnecessary risks, and I think they're being a bit short-sighted by sitting on these patches for months."
Oracle released a patch for a critical flaw in the company's Oracle 11i E-Business Suite in June.
While Litchfield refused to elaborate in detail on the problems in the software, which he fears would allow hackers to rapidly launch attacks against Oracle's customers, he said the problems range from large to small, encompassing everything from so-called buffer and heap overflow issues to poorly protected passwords. In some cases, he said people without any username or password information could gain access to the Oracle systems, while in other cases individuals with only limited access permissions could covertly upgrade their status to database administrator levels.
Litchfield said he first began actively looking for holes in Oracle's software two years ago when the company launched its "unbreakable" marketing campaign, which touted the security strengths of its database software. With the help of several colleagues, Litchfield claims he found close to 50 flaws in the vendor's database programs in less than 24 hours.
"It was probably unwise for Oracle to advertise itself as unbreakable, and I know it raised some eyebrows even within the company," he said. "But marketing doesn't necessarily consult the developers when it builds its message for the public, and I think even now they'd admit that the claim really only speaks to Oracle's dedication to improving security in its products."
Litchfield points out that anyone who takes the time to peruse the company's listings of its previous security patches can figure out for themselves how vulnerable the company's products have been. However, the security expert said that Oracle is no more culpable of trying to hide that reality than many of its competitors, including Microsoft, IBM and others.
Litchfield said that Oracle may want to take a page from Microsoft's book in terms of improving the company's overall approach to patching holes in its software.
"Microsoft has traditionally been a big target, and they've suffered publicly because of that," he said. "But Microsoft has adopted better internal processes to address the problem, and they've now advanced past the rest of the market in terms of their ability to respond to new issues."
This is major! :)