Oracle admits to database security holes

Oracle has acknowledged the existence of multiple security holes in its database software and said it plans to issue a security...

Oracle has acknowledged the existence of multiple security holes in its database software and said it plans to issue a security alert shortly.

David Litchfield, managing director of UK-based Next Generation Security Software claims to have found 34 security vulnerabilities in past and existing versions of Oracle's database software, at least one of which could allow a hacker to gain control of a company's database remotely without needing a password.

Litchfield said he notified Oracle of the vulnerabilities in January, and said the company told him two months ago that they had prepared patches to repair them. Oracle has not released the patches, however, because it is in the middle of introducing a new system for distributing security fixes to customers, according to Litchfield, who was critical of the delay.

"The way they should do it is to run the old system [for issuing patches] until the new system is ready for use," he said. "They have not handled this in the best way they could."

Oracle initially would not confirm or deny the vulnerabilities, saying only that it takes security matters seriously. Later it confirmed the flaws, but declined any further comment

"Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better. Oracle has fixed the issues discussed and will issue a Security Alert soon," the statement read.

Oracle prides itself on the security of its database software. Its advertising campaigns have focused on the idea that its database is "unbreakable", and it often talks of its security certifications awarded by US government agencies.

Litchfield declined to discuss the vulnerabilities in detail for fear of aiding hackers who might seek to exploit them.

Until the patches are issued, companies can mitigate risk by following best practices recommended by supplier and consultants, he said, including providing as little access privileges to database users as is practically possible.

"One can go a long way to mitigate the risk of these vulnerabilities, but some don't have workarounds," he said.

Litchfield said that about half of the vulnerabilities affect Oracle's newest, 10g database, and that three of them are unique to that database, meaning they do not affect previous versions.

Litchfield is known for releasing the proof-of-concept (or "exploit") code two years ago to help explain the threat caused by a vulnerability in Microsoft's SQL Server database. The code was used by hackers as a template to create the Slammer worm, which went on to cause widespread and costly damage.

Litchfield has developed similar exploits for the vulnerabilities in Oracle's database, but, after the Slammer experience, he will not be releasing those exploits.

James Niccolai writes for IDG News Service

Read more on IT risk management