Oracle and Bug Hunters Clash Over Flaw Reports

Oracle and Bug Hunters Clash Over Flaw Reports
Oracle and Bug Hunters Clash Over Flaw Reports 

By Jaikumar Vijayan
December 11, 2006

The long-standing tension between software vendors and independent 
researchers who try to find security holes in products came into public 
view late last month, when Oracle Corp. criticized bug hunters after it 
came under fire for its security practices.

In a message posted Nov. 27 in a blog on Oracles Web site, Eric Maurice, 
manager of security in the companys global technology business unit, 
said Oracle wouldnt let external perceptions drive its software security 
policies. Maurice reiterated Oracles commitment to strong security 
practices but said it would continue to prioritize vulnerabilities based 
on their criticality and not on who had discovered them.

He also blasted security researchers who disclose so-called zero-day 
flaws before vendors make fixes available for them. We consider such 
practices to be irresponsible, as they can result in needlessly exposing 
customers to risk of attack, Maurice wrote.

The blog post was an apparent response to what Maurice described as a 
flurry of articles and blog entries about Oracle security issues.

Database Holes

For example, Next Generation Security Software Ltd., a Surrey, 
England-based security research firm that has consulted with Microsoft 
Corp. on security issues in the past, released a study showing that 
Oracles databases have had far more vulnerabilities than Microsofts SQL 
Server has had over the past six years.

Meanwhile, a security researcher in Argentina announced then abruptly 
canceled plans to release information about an Oracle zero-day flaw 
every day for one week in December.

Cesar Cerrudo, founder of Argeniss, an IT security firm in Buenos Aires, 
wouldnt explain why he dropped the bug-disclosure plans. But via e-mail, 
Cerrudo defended the work done by security researchers and said vendors 
should be more concerned about responsible software development than 
about proper vulnerability disclosure practices. Vendors are used to 
researchers playing nice, he wrote. The situation should change. 
Research costs thousands of dollars, and right now vendors are getting 
[it for] free.

H.D. Moore, founder of the controversial Metasploit Project, which 
releases vulnerability information and tool kits for writing attack 
code, rebutted the notion that such initiatives only benefit malicious 
hackers. The information made available by Metasploit puts the good guys 
on equal footing with the folks who already have the skill to launch 
these types of attacks, Moore wrote as part of an e-mail interview.

Security flaws are unlikely to remain undiscovered for long, whether bug 
hunters go looking for them or not, said Robert Palmer, vice president 
of IT at Lenox Inc., a Lawrenceville, N.J.-based maker oftableware and 

Independent researchers provide a valuable service, not just to users 
but to software vendors as well, Palmer said. He added that he wants to 
see vendors bring bug hunters into the software development cycle. One 
way to do so would be to give researchers access to alpha or beta code 
with the express intent of letting them try to crack it before the 
software is commercially released, Palmer said.

But Andrew Plato, president of Anitian Enterprise Security, a consulting 
and systems integration firm in Beaverton, Ore., said researchers should 
give vendors at least 30 days to address vulnerabilities before 
reporting them publicly. One of the largest problems with independent 
vulnerability research is blackmailing and grandstanding, Plato said.

He added that as long as bug hunters follow generally accepted 
flaw-reporting practices, they serve an important role. Obscurity is not 
security, Plato said. Its better to know about a bug and get it fixed 
than to have it hidden.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods