Oracle responds to security critics

Oracle is fighting another ulcer brought on by its security critics, but this time the database giant has gotten a little sympathy from the blogosphere.

First, Argeniss Information Security CEO Cesar Cerrudo said he'd spend a week in December releasing details of Oracle database zero-day flaws.

Then, NGS (Next Generation Security) Software Ltd. Managing Director David Litchfield released a whitepaper arguing that Microsoft security is stronger than that of Oracle.

Cerrudo abruptly suspended plans to roll out the Oracle zero-day flaws this week in a message on his Web site. He offered no explanation, though media speculation has it that he faced pressure from Oracle and DBAs not to expose flaws for which there is no patch.

But for Oracle, the damage was already done when Cerrudo made his initial claim that the flaws would illustrate the database giant's software insecurity. The Litchfield paper, released the same week as Cerrudo's announcement, simply added fuel to the fire.

Fed up with the critics, Eric Maurice, manager for security in Oracle's Global Technology Business Unit, took to the blogosphere to defend his company's procedures.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: Zango defying FTC agreement, researchers say Is the SANS Top 20 still useful? Sailing a sea of spam

"There was a flurry of articles and blog entries written about Oracle security in recent days," he wrote in the company's official blog. "I thought I would take this opportunity to discuss some aspects of Oracle software security assurance, including the important role played by security researchers."

That role, he said, includes the responsible disclosure of flaws.

"We acknowledge all of the vulnerabilities at the time of the issuance of the appropriate fix … and we credit security researchers for any vulnerability they discovered in the Critical Patch Update documentation," he said. "However, we do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing zero-day exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack."

While some of the most well-respected researchers have criticized Oracle security in the past, the latest barrage did gain Oracle some sympathy.

In his Security Matters blog, security expert Mark Joseph Edwards wrote that the week of Oracle zero-day bugs idea was an example of carelessness run amuck.

"It's sometimes understandable to use leverage against vendors' security-related claims, particularly when they're placing the Internet community at high risk," he wrote. "However, in the process of embarrassing vendors some self-proclaimed 'researchers' invariably harm innocent users of the affected vendors' products."

He added that Cerrudo's claim that Oracle doesn't care about security is twisted, "given the amount of carelessness required to publish zero-day vulnerabilities."

Zombie malware exploits old flaws
Also in the blogosphere this week, the Symantec Security Response blog has an interesting entry on a piece of zombie malware that's spreading via some old flaws in Symantec and Microsoft products.

W32.Spybot.ACYR takes advantage of several previously-patched Microsoft vulnerabilities, as well as a flaw in Symantec Client Security and Symantec Antivirus that was patched back in May. Symantec suggested the malware is taking aim at educational institutions.

"At the present time, we are seeing a spike in traffic on Port 2967 with activity only in the .edu domain," Symantec said.

But based on Symantec's intelligence, the impact of the attack is minimal thus far.

To eliminate the threat, Symantec said IT shops should make sure they've applied all its relevant patches, as well as those available from Microsoft.

For those unable to apply the appropriate Symantec patch, blocking Port 2967 at the firewall is another option, Symantec said.