Oracle is fighting another ulcer brought on by its security
critics, but this time the database giant has gotten a little
sympathy from the blogosphere.
First, Argeniss Information Security CEO Cesar Cerrudo said he'd
spend a week in December releasing details of
Oracle database zero-day flaws.
Then, NGS (Next Generation Security) Software Ltd. Managing
Director David Litchfield released a whitepaper arguing that
Microsoft security is stronger than that of
Oracle.
Cerrudo abruptly suspended plans to roll out the Oracle zero-day
flaws this week in a message on his
Web
site. He offered no explanation, though media speculation has
it that he faced pressure from Oracle and DBAs not to expose flaws
for which there is no patch.
But for Oracle, the damage was already done when Cerrudo made
his initial claim that the flaws would illustrate the database
giant's software insecurity. The Litchfield paper, released the
same week as Cerrudo's announcement, simply added fuel to the
fire.
Fed up with the critics, Eric Maurice, manager for security in
Oracle's Global Technology Business Unit, took to the blogosphere
to defend his company's procedures.
"There was a flurry of articles and blog entries written about
Oracle security in recent days," he wrote in the company's official
blog. "I thought I would take this opportunity
to discuss some aspects of Oracle software security assurance,
including the important role played by security researchers."
That role, he said, includes the responsible disclosure of
flaws.
"We acknowledge all of the vulnerabilities at the time of the
issuance of the appropriate fix … and we credit security
researchers for any vulnerability they discovered in the Critical
Patch Update documentation," he said. "However, we do not credit
security researchers who disclose the existence of vulnerabilities
before a fix is available. We consider such practices, including
disclosing zero-day exploits, to be irresponsible as they can
result in needlessly exposing customers to risk of attack."
While some of the most well-respected researchers have
criticized Oracle security in the past, the latest barrage did gain
Oracle some sympathy.
In his
Security Matters blog, security expert Mark
Joseph Edwards wrote that the week of Oracle zero-day bugs idea
was an example of carelessness run amuck.
"It's sometimes understandable to use leverage against vendors'
security-related claims, particularly when they're placing the
Internet community at high risk," he wrote. "However, in the
process of embarrassing vendors some self-proclaimed 'researchers'
invariably harm innocent users of the affected vendors'
products."
He added that Cerrudo's claim that Oracle doesn't care about
security is twisted, "given the amount of carelessness required to
publish zero-day vulnerabilities."
Zombie malware exploits old flaws
Also in the blogosphere this week, the
Symantec Security Response blog has an
interesting entry on a piece of zombie malware that's spreading
via some old flaws in Symantec and Microsoft products.
W32.Spybot.ACYR takes advantage of several previously-patched
Microsoft vulnerabilities, as well as a flaw in Symantec Client
Security and Symantec Antivirus that was patched back in May.
Symantec suggested the malware is taking aim at educational
institutions.
"At the present time, we are seeing a spike in traffic on Port
2967 with activity only in the .edu domain," Symantec said.
But based on Symantec's intelligence, the impact of the attack
is minimal thus far.
To eliminate the threat, Symantec said IT shops should make sure
they've applied all its relevant patches, as well as those
available from Microsoft.
For those unable to apply the appropriate Symantec patch,
blocking Port 2967 at the firewall is another option, Symantec
said.