Oracle acknowledged the existence of multiple security holes in its database software on Tuesday and said it would issue an alert to customers shortly.
The UK-based security expert who found the holes criticised Oracle's conduct, saying that it has been sitting on patches that would fix the holes for about two months.
David Litchfield, managing director of Next Generation Security Software Ltd. said he uncovered 34 security vulnerabilities in past and current versions of Oracle's database software, at least one of which could allow a hacker to gain control of a company's database remotely without needing a password.
Litchfield said he notified Oracle of the vulnerabilities in January, and said the company told him two months ago that it had prepared patches to repair them. Oracle has not released the patches, however, because it is in the midst of introducing a new system for distributing security fixes to customers, according to Litchfield, who was critical of the delay.
"The way they should do it is to run the old system [for issuing patches] until the new system is ready for use," he said. "They have not handled this in the best way they could."
Litchfield mentioned the vulnerabilities last week in a presentation at the Black Hat computer security conference in Las Vegas. They were first reported by the Wall Street Journal Tuesday.
Oracle initially would not confirm the vulnerabilities, saying only that it takes security matters seriously. Later on Tuesday it confirmed the flaws in a brief statement but declined any further comment
"Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better. Oracle has fixed the issues discussed in The Wall Street Journal and will issue a Security Alert soon," the statement read.
Litchfield declined to discuss the vulnerabilities in detail for fear of aiding hackers who might seek to exploit them. "In generic terms, the issues are buffer overflow vulnerabilities, PL-SQL injection vulnerabilities, and a couple of minor issues - well, minor depending on how you do your risk assessment - things like denial of service, passwords in clear text. Basically the whole gamut of vulnerability types."
Until the patches are issued, companies can mitigate risk by following security "best practices", he said, such as providing as little in the way of access privileges to users as is practically possible. "One can go a long way to mitigate the risk of these vulnerabilities, but some don't have workarounds," Litchfield said.
About half of the vulnerabilities affect Oracle's newest, 10g database and three of them are unique to that database, meaning they don't affect previous versions, he said.
Litchfield is known in the industry for releasing the proof-of-concept (or "exploit") code two years ago for a vulnerability in Microsoft Corp.'s SQL Server database. The code was used by hackers as a template to create the Slammer worm, which went on to cause widespread, costly damage.
Litchfield said he has developed similar exploits for the vulnerabilities in Oracle's database but, after the Slammer experience, will not be releasing them, he said.
Most industry analysts had not seen the vulnerabilities Tuesday and said it was hard to gauge their severity. Litchfield said he was not aware of any exploits for the security holes circulating among hackers. The analysts generally praised Oracle for the security of its products and for the way it has handled vulnerabilities in the past.
"They do take these things pretty seriously. They had a security breach a couple of months ago and I think they put out a patch within a day or two," said IDC analyst Carl Olofson.
As with any software product that has been on the market for years, "there are naturally going to be some old lines of code that need to be looked at. But you could say the same thing about DB2 and Sybase," Olofson said.