First it was the Month of Browser Bugs, then it was the Month of Kernel Bugs, and now it is the Week of Oracle Database Bugs (WoODB). (See Getting Buggy with the MOBB and Month of Kernel Bugs to Come.)
Researchers at Buenos Aires, Argentina-based Argeniss plan to post a zero-day bug each day for one week in December. They say they want to demonstrate how Oracle's software isn't as secure as it should be, and how Oracle fails to find and fix bugs. And when Oracle does find bugs, they say, it takes two years or more for a patch.
Argeniss has found zero-day flaws in all database software, not just Oracle's, but it considers Oracle fair game because of its unpatched vulnerabilities.
Databases typically store the crown jewels of data in an organization, so they are becoming an obvious target. And database security is gaining attention as Web application vulnerabilities and exploits increase. Web apps often serve as the front-end to the database, so Web app attacks are the means to an end, the database. (See Study: SQL Server Is Safest DB and Database Threat Intensifies.)
"We have zero-days for all database software vendors but Oracle is 'the number one star' when talking about lots of unpatched vulnerabilities and not caring about security," Argeniss founder and CEO Cesar Cerrudo said in a message board posting announcing the WOODB.
Cerrudo told Dark Reading that he'll post local-privilege escalation, buffer overflow, denial of service, and SQL injection bugs, among others. "My team has found more than 200 vulnerabilities [in Oracle software] -- this includes fixed and unfixed ones," he says. "We have [around] 70 that haven't been fixed yet, [and] also half of them haven't been reported."
Oracle didn't comment directly about the WoODB, but reiterated its policy on disclosure of bugs. "Oracle values the work independent security researchers do and encourages them to follow responsible disclosure policies. Releasing detailed information about unpatched vulnerabilities helps attackers create exploits and attack unpatched systems," an Oracle spokesperson said. "Researchers can notify Oracle of security vulnerabilities by emailing [email protected]"
Argeniss, meanwhile, could have done a year's worth of Oracle database bugs, according to Cerrudo, but it decided a week was sufficient to show Oracle software flaws, plus it didn't want to disclose all the zero-days it had found. There's a chance it could go beyond a week if Argeniss gets contributions to the effort.
Kelly Jackson Higgins, Senior Editor, Dark Reading