By Joris Evers
Staff Writer, CNET News.com
July 19, 2005
Serious unpatched security flaws exist in certain Oracle products,
according to a German security researcher who said the software maker
has not fixed the bugs despite knowing about them for two years.
Alexander Kornbrust of Red Database Security published alerts on six
security vulnerabilities on Tuesday. Five of the reported bugs are in
the Oracle Reports enterprise reporting tool. Another is in Oracle
Forms, a technology that is part of Oracle Developer Suite and is used
to build applications.
"I reported these bugs two years ago," Kornbrust said in an e-mail to
CNET News.com. In April, to pressure the company into providing fixes,
he told the software maker that he would publish details on the bugs
if they were not patched as part of the company's July security
The most serious vulnerabilities could let an attacker gain control
over an Oracle user's systems, according to the alerts. Kornbrust
deems three of the bugs "high risk," two "medium risk" and one "low
risk." The problems affect various versions of the Oracle products,
including the newest 10g versions, he said.
Oracle declined to comment on Kornbrust's report of the flaws. A
company representative did say that Oracle believes details on
vulnerabilities should not be disclosed before a patch is available.
"We are disappointed when researchers act contrary to this industry
best practice," the representative said in an e-mailed statement.
Kornbrust is a respected researcher, security experts from VeriSign's
iDefense and eEye Digital Security said. He has discovered bugs in
Oracle products in the past and those have been fixed by the software
maker, they said.
Public disclosure of flaws turns up the heat on Oracle to remedy the
problems but also increases the risk of attacks, said Steve Manzuik, a
product manager at eEye. "It gives other people the spot to look to
find the actual problems," he said.
Previous Next The time that Kornbrust claims Oracle has left the
vulnerabilities unpatched is "phenomenal," said Michael Sutton, a lab
director at iDefense. "If true, this is one of the worst examples that
I've seen of a software vendor not responsibly addressing known
vulnerabilities. I'm hopeful that Oracle will publicly respond to this
allegation as customers deserve an explanation," Sutton said.
eEye's Manzuik agreed. "You don't even see that with the longest
Microsoft vulnerability," he said. There must have been some sort of
miscommunication between Oracle and Kornbrust, he suggested.
Kornbrust believes Oracle could be playing for time. "It is easier to
fix the bug silently in the next release and to wait until an old
product is no longer supported," he said.
Pete Finnigan, a security specialist in York, England, said there may
be as much as 250 reported but unfixed flaws in Oracle products.
"Maybe they simply have not enough security people in-house to fix the
bugs," he said.
Kornbrust said that he is not aware of anyone exploiting the flaws. He
has offered workarounds in his advisories to protect systems. Finnigan
and eEye's Manzuik recommend users apply those, after making sure the
workarounds don't break their systems.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.