The fallout continues over David Litchfield's open letter to Oracle. At first I wasn't sure that the community was going to pick this up and run with it, but it has. First, we have Cesar Cerrudo from Argeniss who posted to Bugtraq in response to Dave's letter. My favorite quote:
I can say that we at Argeniss break Oracle database server all the time, we are tired of breaking Oracle, it's so easy ... most security researchers know about this and also the bad guys who are actively exploiting the vulnerabilities.
There's also the response from Alexander Kornbrust who gives three examples of Oracle vulnerability management - none of them too flattering to the "big O". One of them, a remotely exploitable security vulnerability, has apparently taken Oracle 786 days to fix (790 now since he wrote that on Friday.)
The problem is not that Oracle has security vulnerabilities - every vendor does. The problem isn't even that it takes Oracle a long time to fix the problems - some software is harder to work with than others; Oracle has to support a lot of hardware configurations, so maybe we'd give them some slack if a patch takes a while. No, in my opinion, I think the problem is hypocrisy.
In my opinion, Oracle's mouth is writing checks that its actions can't cash. Clearly this is true with the "out of synch with reality" public statements made by their executives (e.g. Oracle hasn't been broken in 15 years), but I think the problem is broader than that. Take a look, for example, at the Oracle Security Alerts Commitment on their website:
"Oracle Corporation is committed to providing robust security in our products.
Occasionally, security vulnerabilities are found in Oracle products. Oracle makes every attempt to rectify these vulnerabilities quickly, yet effectively... As with any other major vendor providing a variety of software running on a variety of hardware in a multitude of configurations, Oracle cannot provide software security patches instantaneously though we do our best to expedite the patch delivery process. Any proven security vulnerability requires an in-depth investigation of the issues involved and a well-tested solution, both of which may take a considerable amount of time and effort.
In the Oracle Security Alerts, Oracle gratefully acknowledges the many individuals and organizations that bring potential security vulnerabilities to our notice prior to making these vulnerabilities public knowledge. These individuals and organizations work with Oracle to coordinate the distribution of resulting solutions to the general public."
To paraphrase, the Oracle promise is: patches that are tested, that are delivered as quickly as possible, and that represent a team effort between themselves and the researchers. I think what we're finding out is that Oracle fails by their own standard.
It's about dissonance:
- Oracle says they are committed to testing patches, researchers tell us that the patches don't work
- Oracle says they are committed to bringing patches out quickly, researchers tell us it takes years
- Oracle says they work with researchers to bring vulnerabilities to light, researchers tell us they are asked to take vulnerability content off their sites
We trusted Oracle, so no one wants to believe that the trust is misplaced. But when the dissonance becomes too great, we stop trusting and start getting angry. Dissonance between statements like "Oracle gratefully acknowledges the many individuals and organizations that bring potential security vulnerabilities to our notice" and Mary Ann calling the research community a "problematic bunch" is just too great to be able to sweep it under the rug.
Posted by Ed at October 11, 2005 12:13 PM