Shostack + Friends Blog Archive

 

Database Flaws More Risky Than Discussed

Rob Lemos has an article in CNET about NGSSoftware. On Thursday, they
released
a
slew
of
advisories
about
Oracle
products
with
flaws NGS had discovered 3 months ago. Now, it turns out that the problems may be more risky than thought. Alternately, the release of the exploit code may have cause SecurityFocus to raise its threat estimate.

Now, on the one hand, these issues, and their patches, have been known for a while. Anyone really interested could use binary diffing tools, by folks like Halvar Flake (400k PDF), or Todd Sabin. So a company attempting to use risk management techniques for patching has had quite a bit of time to test, wait for a patching window, and then apply the patches. In the meanwhile, they’ve been vulnerable to a small number of competent attackers and their associates who’ve known since the patches came out how to exploit. Anyone who waits for an exploit to become public in a case like this is likely to become a victim.

However, it’s also possible that the vendor’s choice of how to characterize the risk was either incorrect, or chosen to put them in the best light. Without the technical data about the exploit being easily available, there’s no check on the vendor’s assessment. So the risk management numbers may well have given the wrong result: A ‘high’ risk vulnerability that should have been patched may have been labeled ‘medium,’ and a customer with a low cost of downtime may have decided to accept the risk of being attacked, rather than the risk of system change.

On a closely related note, folks who release a fully automated compromise of XP SP2, or IE overflows on Christmas eve are being poor sports. Whatever you think of Microsoft’s security practices or of full disclosure, there’s little reason to put millions of people at risk by releasing an advisory when people who would write the fix are presumably on vacation, as are the people who would install a fix.

[Update: Put in link to Todd Sabin’s work.]