January 31, 2006
Dave Litchfield Tells It Like It Is
Ever see two dogs fight? I don't mean the "oooh, let's roll around and get dirty" play-fighting - I mean the snarling, snapping, frothy-mouthed, "kujo" kind of fighting. For those of you that have seen that in action, concentrate on that image, and you'll have a succinct description of the current relationship between Dave Litchfield and Oracle's security organization.
Think I'm overstating the case? Take a look at this article, where Dave faces off against Duncan Harris. The original post by David is sarcastic and inflamatory; needless to say, I personally loved it. Oracle's response, via Duncan Harris was equally heated; take this quote, for example:
"By just revealing what he has in this workaround, it definitely is a very strong starting point for any malicious hacker...to try and understand the vulnerability and produce an exploit. Yes, we are clearly disappointed that he felt the need to say anything about this vulnerability before we had a patch available"
My thought on this is that neither of them are right. David's wrong for (albeit sarcastically) recommending a vendor-unsupported security fix. Just as I said when SANS starting touting the unofficial wmf patch, I don't think installing any fix/workaround that isn't supported by the vendor is a good idea. On the other hand, one might well wonder why Oracle hasn't fixed this vulnerability. Everyone (even Oracle) seems to agree that this bug allows untrusted parties to gain DBA access to a database remotely - since this bug is in the PLSQL-gateway component which is often installed on Internet-facing servers, that's a pretty dangerous proposition. Since they had four months to fix it, one wonders why they didn't do so.
So, neither of them are right - clearly. But they are wrong to varying degrees. Dave is guilty of (at best) encouraging users to void the Oracle warranty, Oracle is guilty of (at best) misrepresenting their security posture. In other words, David's message could have been phrased better, whereas Oracle's message was (in my opinion) dangerous and disingenuous. It's dangerous because this is a publicly-known high-risk bug that Oracle intends to leave unpatched until April (when the next quarterly bug fix comes out.) It's disingenuous because it contradicts statements made last week by Duncan in his Q&A. Last week, Duncan told us all about the Oracle traige process; he said how important it was that fixes were prioritized according to criticality. He had a whole paragraph about it:
It absolutely depends on their severity. The Critical Patch Update that we [just] issued -- one of the vulnerabilities there was reported to Oracle in November. There is another that was reported to Oracle 800-plus days ago by external researchers. That is not something we are proud of, [but] it points to the fact that we fix vulnerabilities in order of severity.
How can that be accurate? Is it really the case that this bug (which in a typical configuration permits DBA-level access to a database from the Internet) was analyzed, prioritized, and judged to be less dangerous than the other 82 fixes included in last week's patch bundle? Occam's Razor would seem to indicate that one of the two messages he put out this week is fiction - either this bug wasn't prioritized according to severity (as per the Q&A) or the vulnerability process over there doesn't work the way he said it does as per today's response to Dave.