A vulnerability researcher has attacked Oracle for failing to tackle a number of flaws in its software products.
David Litchfield, managing director of security software company NGS Software, in an open letter to the company, said that it needs to “deliver and execute an effective security strategy that actually deals with problems rather than sweeping them under the carpet or waste time by blaming others for their own failings.”
He slammed the way the company had reacted to patching a series of flaws in its database products, saying it took eight months to come up with fixes that still did not alleviate the problems.
“One would expect that, given the length of time they took to deliver, these security ‘fixes’ would be well considered and robust; fixes that actually resolve the security holes,” said Litchfield.
“The truth of the matter though is that this is not the case.”
Last August, Oracle released a security update, called Alert 68, to fix a number of flaws in its database server software that allows a low privilege user to gain full control over the database. Litchfield said the patches only fixed the sample exploits he had sent them and with some tweaking the flaws could be exploited again.
He also pointed out that in other cases Oracle have simply dropped the old procedures and added new ones with the same vulnerable code.
“I reported these broken fixes to Oracle in February 2005. It is now October 2005 and there is still no word of when the ‘real’ fixes are going to be delivered. In all of this time Oracle database servers have been easy to crack – a fact Oracle are surely aware of,” said Litchfield.
He urged Oracle users to “to get on the phone, send a email, demand a better security response.”
“It’s important that Oracle get it right. Our national security depends on it; our companies depend on it; and we all, as individuals depend on it,” he added.
Oracle was unable to respond to the charges and a company spokeswoman said it had not had time to formulate a response to Litchfield’s comments.