Security firm details unpatched Oracle flaws

A German security firm has published details of six security vulnerabilities in Oracle’s software, three of them high-risk, that it says were not fixed in an Oracle security update earlier this month.

The decision to publish the vulnerabilities, which affect Oracle Reports, Oracle Forms, and indirectly some other Oracle products, raises again the issue of whether security experts should disclose holes in products before vendors have patched them.

Security firm Red-Database-Security GmbH, which specializes in Oracle products, says it reported the holes to Oracle almost two years ago. The database vendor acknowledged they exist but has still not patched them, according to Alexander Kornbrust, a business director at Red-Database-Security, in Neunkirchen, Germany.

Kornbrust warned Oracle in April that if it did not fix the bugs with its next round of security patches then Red-Database-Security would publish details about them. Oracle released the quarterly patch update last week, fixing 49 holes in various products. It did not fix the bugs uncovered by Red-Database-Security, however, so the security firm released details of them Tuesday.

Red-Database-Security describes three of the bugs as high risk, two as medium risk and one as low risk. One of the high-risk flaws makes it possible for a hacker to overwrite files in the Oracle Application Server, according to Red-Database-Security. Oracle Reports is a component of the Oracle Application Server and is also used by its E-Business applications suite.

The holes are not hard to exploit and affect all recent versions of the products, according to Kornbrust. “In one case all you have to do is type in a URL,” he said. More information, including the workarounds, is at http://www.red-database-security.com/advisory/published_alerts.html

In a statement, Oracle said it takes security seriously. It’s policy is to fix vulnerabilities in order of severity, starting with high-priority issues, it said.

“We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available,” the company said.

An Oracle spokesman in the U.K. declined further comment.

Security firms have come under fire for releasing details of unpatched security flaws. Some experts argue that if vendors do not patch their products in a reasonable amount of time, then customers have a right to know that vulnerabilities exist. Others say that security firms never help customers by publishing information about still-vulnerable products.

Kornbrust noted that he released a workaround to fix each of the vulnerabilities he published. He said he chose not to publish details of other vulnerabilities because he does not have a workaround for them.

“I also offered (Oracle) additional time, because I know their application server and database are complicated products and it’s not easy to make a fix, ” he said.

A security expert at Next Generation Security Software Ltd. (NGSS), a U.K. company which in the past has itself criticized Oracle for being slow to release patches, sympathized with Kornbrust’s impatience.

“I can understand his frustration,” said Chris Anley, a director at NGSS. “It took 20 months to build the Soyuz rocket and 14 months to build the Empire State Building. Can it really be that difficult to patch a piece of software?”

Still, Anley said he would probably not have published details of the flaws. A better solution might have been to open a discussion about the problems on a security mailing list, asking Oracle users how they felt about the issue, he said.

“I’m not sure it was a dangerous thing to do, mainly because he provided a workaround for all the bugs,” he added.

Last year NGSS found itself in a similar position as Red-Database-Security. NGSS Managing Director David Litchfield described several unpatched Oracle flaws at the Black Hat security conference last year. He said he disclosed the findings after becoming frustrated that Oracle had not released a patch for the problems sooner.

Litchfield said at the time he was careful not to provide enough detail about the vulnerabilities that hackers could exploit them.

Oracle may have another headache to look forward to at this year’s Black Hat show, which kicks off July 23 at Caesar’s Palace: Kornbrust is scheduled to give a talk about how to circumvent Oracle’s database encryption.

“I warned them about it,” he said. “They told me to go ahead.”