Oracle has (probably wisely) been keeping their head down the past few months, so imagine my excitement when I saw that IDG put out this where Oracle discusses their approach to software security. And there’s some choice stuff in there – the article starts with Mary Ann Davidson commenting on the “unbreakable” campaign. Talking about her reaction when she first heard it, she said “my response was ‘What idiot dreamed this up?” What idiot, indeed. I’m not going to fault her for this criticism, since I happen to share her opinion. However, a stickler could make the point that she saw things as a little less black-and-white back in the day:

“We believe the market effect of the ‘Unbreakable’ campaign raises the security bar and therefore improves security overall, both in forcing us to live up to the statement, and forcing others in the industry to begin to do the same. If our security today is imperfect but better than the competition, and if customers make a buying decision based on that criteria, than in the long term you will see all products in the market improve.”

Oh well, not that it matters now. The article then moves on to discuss internal Oracle development security efforts. Given Oracle’s track-record in security, I’m surprised that they’re running with this message. For example:

Davidson said the record for fixing one defect was 78 patches, which cost the company around $1 million.

If this were you, would you broadcast having to issue 78 patches to fix one bug? Yeah, I probably wouldn’t either. As to whether or not they are getting better, I think it’s too early to tell. However, I guess we’ll find out in time…

Just when you thought there was nary a peep about Oracle in the industry press, along comes Information Week with a four-page take on Oracle’s patching process. The piece highlights some of the criticism that Oracle’s had from David Litchfield, Red-Database-Security, etc. The article’s long, but well worth the read.

There’s some great stuff here, and the fact that a major outlet like Information Week is covering this means that people are starting to take notice…

In case you missed it, Oracle has put the world on notice to “turn security rhetoric into action”. That was the theme of Evelyn Sell’s (Senior Program Manager with Oracle) presentation last week at SECURECon; basically she took the stage to tell all of us security practitioners and developers that there is no excuse for security rhetoric that isn’t backed up by action. Wow. Do I even need to say it? Does “unbreakable” ring a bell? Or when Larry Ellison said “we haven’t had a vulnerability in twenty years”? Clearly they aren’t and clearly they have. Once again, I am flabbergasted by the hubris and hypocrisy coming out of that firm.

Now I thought I was about as irritated at Oracle’s as I was going to get – but clearly I was wrong. For anybody who hasn’t been paying attention, Oracle is not a the standard for software security – despite what their marketing department might tell you. I remember studying Attic Greek at one point in the distant past, and there are a few things I remember about Hubris: first, I remember that the quality of hubris (‛′Υβρις) is the principal downfall of characters in the tragedies. I also remember that it was one of the worst personality characteristics that the Greeks could imagine a person having. Almost any time that a character demonstrated the trait in tragedy, they were struck down (usually by the gods). To illustrate how much the Greeks hated this quality, the word can mean either “insolence” (akin to the sense we use it in today) or “violent crime” and was punishable by death under Athenian law. The Greeks loved to see those people on a “high horse” get their lumps.

I think the Greeks were on to something; I think the security community is starting to react to Oracle’s bull. Gartner has said they are no longer a “bastion of security”, researchers are working overtime to poke holes in their products, and they’re spending increasing amounts of money to bolster their image. The stage is set, and I think we’re there’s some major divine wrath on the horizon.

Oracle has responded to the charges from Gartner and others that it is the new security whipping-boy by sending out the message that “it’s totally handled”. This time it’s Hasan Rizvi, VP of security products who’s sending the message:

Our customers are so used to high security that when there is a vulnerability they don’t apply the fix because they are not used to it, which is an interesting position to be in. People have to apply them and we can’t do too much about that.

So Oracle’s position is that they are so secure that people are confused about the need to apply patches. So, in the unlikely event that they do need to patch, the customers don’t know they need to apply it. No seriously, that’s the message…

I think some of the problems are, ironically, because of our strong track record and [customers] don’t take some of the processes [sic] to fix them seriously.

So, to paraphrase; “Oracle’s security is the best in the industry, and our customers (recognizing our prowess) keep dropping the ball because we’re so damn good.” Is it just me or does anyone else find this message to be somewhat “out of touch?”

Ever see two dogs fight? I don’t mean the “oooh, let’s roll around and get dirty” play-fighting – I mean the snarling, snapping, frothy-mouthed, “kujo” kind of fighting. For those of you that have seen that in action, concentrate on that image, and you’ll have a succinct description of the current relationship between Dave Litchfield and Oracle’s security organization.

Think I’m overstating the case? Take a look at this article, where Dave faces off against Duncan Harris. The original post by David is sarcastic and inflamatory; needless to say, I personally loved it. Oracle’s response, via Duncan Harris was equally heated; take this quote, for example:

“By just revealing what he has in this workaround, it definitely is a very strong starting point for any malicious hacker…to try and understand the vulnerability and produce an exploit. Yes, we are clearly disappointed that he felt the need to say anything about this vulnerability before we had a patch available”

My thought on this is that neither of them are right. David’s wrong for (albeit sarcastically) recommending a vendor-unsupported security fix. Just as I said when SANS starting touting the unofficial wmf patch, I don’t think installing any fix/workaround that isn’t supported by the vendor is a good idea. On the other hand, one might well wonder why Oracle hasn’t fixed this vulnerability. Everyone (even Oracle) seems to agree that this bug allows untrusted parties to gain DBA access to a database remotely – since this bug is in the PLSQL-gateway component which is often installed on Internet-facing servers, that’s a pretty dangerous proposition. Since they had four months to fix it, one wonders why they didn’t do so.

So, neither of them are right – clearly. But they are wrong to varying degrees. Dave is guilty of (at best) encouraging users to void the Oracle warranty, Oracle is guilty of (at best) misrepresenting their security posture. In other words, David’s message could have been phrased better, whereas Oracle’s message was (in my opinion) dangerous and disingenuous. It’s dangerous because this is a publicly-known high-risk bug that Oracle intends to leave unpatched until April (when the next quarterly bug fix comes out.) It’s disingenuous because it contradicts statements made last week by Duncan in his Q&A. Last week, Duncan told us all about the Oracle traige process; he said how important it was that fixes were prioritized according to criticality. He had a whole paragraph about it:

It absolutely depends on their severity. The Critical Patch Update that we [just] issued — one of the vulnerabilities there was reported to Oracle in November. There is another that was reported to Oracle 800-plus days ago by external researchers. That is not something we are proud of, [but] it points to the fact that we fix vulnerabilities in order of severity.

How can that be accurate? Is it really the case that this bug (which in a typical configuration permits DBA-level access to a database from the Internet) was analyzed, prioritized, and judged to be less dangerous than the other 82 fixes included in last week’s patch bundle? Occam’s Razor would seem to indicate that one of the two messages he put out this week is fiction – either this bug wasn’t prioritized according to severity (as per the Q&A) or the vulnerability process over there doesn’t work the way he said it does as per today’s response to Dave.

Rob over at Googgun always comes through with the good information.

This time, he sent me a great link to this article describing how Gartner hammered Oracle’s security practices like when Dux landed the “Dim Mak” in Bloodsport. Granted, Gartner’s a bit late to the party on this one – a number of analysts have been critical of Oracle for a while now – but Gartner’s big, so people listen when they say stuff.

Check out all the meaty derision for Oracle in their research:

Oracle provides only very limited information about vulnerabilities