Litchfield's Last Hurrah

Yesterday was David Litchfield's last day at NGS Software, and he commemorated the milestone by dropping a zero-day vulnerability in Oracle's 11g database at Black Hat DC. He also surprised the audience -- and possibly himself -- by awarding Oracle a "B+" final grade for security in 11g, after nearly 10 years of keeping Oracle on its toes by calling out vulnerabilities in its database technology."[I've] been bashing heads since Larry Ellison said [Oracle's database] was 'unbreakable.' It was like waving a red flag to a bull," Litchfield quipped during his presentation at Black Hat DC yesterday on his latest research.

It's unclear where Litchfield will go from here now that he has retired from NGS -- he wouldn't commit publicly on his official plans, except to say he's taking some time off and plans to do some diving. It's hard to imagine this, indeed, is the last we'll see of his groundbreaking database security research days. But, somehow, it feels like the end of an era.

Litchfield said even with the latest flaw he discovered, Oracle's 11g is "vastly superior" security-wise compared to its software two years ago, mostly thanks to the security tools Oracle now runs to check for flaws. But Oracle actually relies too heavily on security tools to catch problems in its code before the products ship, he said. "They use tools too much as the goalkeeper" to make the save, Litchfield said, which doesn't always work.

"They don't need to go back to the drawing board -- they just need to tweak it," he said.

Overall, Oracle's bug count is down 35 percent since the 10gR2 release, Litchfield said, and the severity of vulnerabilities has also declined -- all good news. But he demonstrated an attack exploiting an unpatched flaw he discovered in 11g that lets a low-privilege user grant himself the ability to execute operating system commands and files. "We just made him the administrator," Litchfield said during the demo.

A parting shot: The latest 11g flaws he found could have been discovered much earlier by Oracle (during the software requirements or design phases) had Oracle used a secure software development life cycle program, he said.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading