Shostack + Friends Blog Archive


Known unknowns?

Oracle has just released fixes for 82 vulnerabilities.
After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security researchers such as Alexander Kornbrust and David Litchfield have reported at least 137 Oracle vulns which remain unfixed. He then makes an excellent point:

If we consider that Oracle finds more than 75 percent of flaws in-house, and the total number of the unpatched bugs reported to Oracle just by the above-mentioned security researchers is 137, how many flaws has Oracle uncovered in-house that it still hasn’t fixed? Not sure I’ll get the answer from Oracle, but at least I have asked the question.

The 75% figure comes from Oracle, and is in principle impossible to know with precision. Its accuracy depends on the number of Oracle zero-days out there. As Krebs observes:

[I]f there are widespread attacks against Oracle database servers, it is unlikely most people will ever hear about them — that is, until an affected company is forced through various state data-breach notification laws to go public with a few details (none of which are likely to include the affected hardware or software.)