Researchers Bugging OracleResearchers Bugging Oracle
Researchers are giving Oracle database customers an early Christmas gift - a zero-day bug a day for one week
November 21, 2006
First it was the Month of Browser Bugs, then it was the Month of Kernel Bugs, and now it is the Week of Oracle Database Bugs (WoODB). (See Getting Buggy with the MOBB and Month of Kernel Bugs to Come.)
Researchers at Buenos Aires, Argentina-based Argeniss plan to post a zero-day bug each day for one week in December. They say they want to demonstrate how Oracle's software isn't as secure as it should be, and how Oracle fails to find and fix bugs. And when Oracle does find bugs, they say, it takes two years or more for a patch.
Argeniss has found zero-day flaws in all database software, not just Oracle's, but it considers Oracle fair game because of its unpatched vulnerabilities.
Databases typically store the crown jewels of data in an organization, so they are becoming an obvious target. And database security is gaining attention as Web application vulnerabilities and exploits increase. Web apps often serve as the front-end to the database, so Web app attacks are the means to an end, the database. (See Study: SQL Server Is Safest DB and Database Threat Intensifies.)
"We have zero-days for all database software vendors but Oracle is 'the number one star' when talking about lots of unpatched vulnerabilities and not caring about security," Argeniss founder and CEO Cesar Cerrudo said in a message board posting announcing the WOODB.
Cerrudo told Dark Reading that he'll post local-privilege escalation, buffer overflow, denial of service, and SQL injection bugs, among others. "My team has found more than 200 vulnerabilities [in Oracle software] -- this includes fixed and unfixed ones," he says. "We have [around] 70 that haven't been fixed yet, [and] also half of them haven't been reported."
Oracle didn't comment directly about the WoODB, but reiterated its policy on disclosure of bugs. "Oracle values the work independent security researchers do and encourages them to follow responsible disclosure policies. Releasing detailed information about unpatched vulnerabilities helps attackers create exploits and attack unpatched systems," an Oracle spokesperson said. "Researchers can notify Oracle of security vulnerabilities by emailing [email protected]."
Argeniss, meanwhile, could have done a year's worth of Oracle database bugs, according to Cerrudo, but it decided a week was sufficient to show Oracle software flaws, plus it didn't want to disclose all the zero-days it had found. There's a chance it could go beyond a week if Argeniss gets contributions to the effort.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
Defending Corporate Executives and VIPs from Cyberattacks