$this->articleCE->primaryUrlById(3645306) = /xSP/article.php/3645306/Oracle+Facing+ZeroDay+Onslaught.htm
Oracle Facing Zero-Day Onslaught? - InternetNews.
RealTime IT News

Oracle Facing Zero-Day Onslaught?

Oracle database users take heed: December may be a tough month. A security researcher is warning of a week of Oracle database bugs.

The revelation comes after Oracle's recent quarterly patch cycle for its namesake database. It typically yields double-digits' worth of fixes for security flaws. For example, Oracle released an update at the end of October for some 63 flaws in Oracle databases. But even more flaws are lurking that have not yet been disclosed, according to Cesar Cerrudo, founder and CEO of the Argeniss Security Research Team. Now, he's taking up the cause.

Cerrudo said he plans to release one bug a day for a full week in December. It's an effort he's calling, "The Week of Oracle Database Bugs"(WoODB). The idea is based on a similar concept that Metasploit developer H. D. Moore first professed with the Month of Browser Bugs effort earlier this year. In an effort to raise awareness of browser security, Moore released one bug a day for the month of July.

According to Cerrudo, the WoODB is intended to actually "help" Oracle's database users. "I think Oracle users' security will be helped since users will realize the real threat they are facing running Oracle flawed software and they will start to put pressure on Oracle asking for responses, improvements in security, etc," Cerrudo said. "Also if you know the threats you can protect better than if you don't know them."

Oracle is being targeted because, in Cerrudo's view, the company's products contain "lots of unpatched vulnerabilities." Argeniss Security Research allegedly has Zero-day exploits for other database vendors as well.

Cerrudo told internetnews.com that Oracle has not contacted him about the effort. Internetnews.com contacted Oracle, but a spokesperson was not immediately available for comment. Oracle's Global Product Security Blog is also silent on the topic.

The researchers claim they could inflict a "Year of Oracle Database Bugs," but say a week's worth makes their point.

In its last patch update, Oracle improved the amount of information it made available about reported flaws. Oracle now identifies which vulnerabilities are remotely exploitable without requiring authentication on the targeted system. Apparently, it's still not enough for Cerrudo.

"Oracle has a long history on not patching bugs in a timely fashion, producing flawed patches and not caring much about security," Cerrudo said. "Nothing has changed. Oracle continues doing the same and someone has to do something about that. We are talking about a multi-million dollar company and securing its products should be a must."