Yesterday at Black Hat, David released information on his latest find, a pretty serious batch of vulnerabilities in Oracle 11g which allows any user to escalate privileges to gain complete access & control of the database.
What’s interesting here is not so much that there is yet another vulnerability (for those of you who are running Hedgehog and getting vPatch updates, you are already protected!), but more how this demonstrates the very tricky relationship that often exists between ethical security researchers and the database vendors.
David has been contributing to the Oracle DB security research community for many years, and certainly has the process down pretty well for notifying Oracle and giving them time to make the fix before going public. But, this time around, things didn’t go as planned. After notifying Oracle in November, he apparently wasn’t satisfied with their response, and decided it was best to announce the vulnerability now. The good news is he also provided recommendations on how to protect systems from being exploited.
We know how he feels. In 6 out of the last 7 Oracle CPUs, one or more Sentrigo employees has been credited for contributions. Pretty impressive for our size, and a testament to the work of our Red Team. In all of those cases, we’ve been pretty satisfied with the pace of Oracle fixes, and have simply built protection into our products from our day-zero discovery and waited for Oracle to release a patch.
But, for those of you who have been reading this blog for a while, you’ll recall the incident last September, when after a year of prodding Microsoft to fix a flaw in SQL Server, we too reached a point of frustration and announced it. Also, with a fix of course. But, the decision to do this is not an easy one. The very vendors you are hoping to have an excellent working relationship with, are not likely to be happy. In this case, Microsoft tried to argue that it was not very serious… but as security researchers we simply didn’t agree (nor did most of the public based on comments we received). I’m sure David felt the same way about this recent vulnerability. You can’t simply leave it there for other (less ethical) people to find and exploit.
So, we’ll see how this one plays out… I’m guessing Oracle will eventually provide a patch. But, it does raise the question of what the white hats of the world are supposed to do, when a vendor simply doesn’t get it. I’d be interested in your thoughts…