Oracle database users take heed: December may be a tough month. A security researcher is warning of a week of Oracle database bugs.
The revelation comes after Oracle’s recent quarterly patch cycle for its namesake database. It typically yields double-digits’ worth of fixes for security flaws. For example, Oracle released an update at the end of October for some 63 flaws in Oracle databases. But even more flaws are lurking that have not yet been disclosed, according to Cesar Cerrudo, founder and CEO of the Argeniss Security Research Team. Now, he’s taking up the cause.
Cerrudo said he plans to release one bug a day for a full week in December. It’s an effort he’s calling, “The Week of Oracle Database Bugs”(WoODB). The idea is based on a similar concept that Metasploit developer H. D. Moore first professed with the Month of Browser
Bugs effort earlier this year. In an effort to raise awareness of browser security, Moore released one bug a day for the month of July.
According to Cerrudo, the WoODB is intended to actually “help” Oracle’s
database users. “I think Oracle users’ security will be helped since users will realize the
real threat they are facing running Oracle flawed software and they will
start to put pressure on Oracle asking for responses, improvements in
security, etc,” Cerrudo said. “Also if you know the threats you can protect
better than if you don’t know them.”
Oracle is being targeted because, in Cerrudo’s view, the company’s products contain “lots of unpatched vulnerabilities.” Argeniss Security Research allegedly
has Zero-day exploits for other database vendors as well.
Cerrudo told internetnews.com that Oracle has not contacted him about
the effort. Internetnews.com contacted Oracle, but a spokesperson was
not immediately available for comment. Oracle’s Global Product Security Blog is
also silent on the topic.
The researchers claim they could inflict a “Year of Oracle Database Bugs,” but say a week’s worth makes their point.
In its last patch update, Oracle improved the amount of information it made
available about reported flaws. Oracle now identifies which
vulnerabilities are remotely exploitable without requiring authentication on
the targeted system. Apparently, it’s still not enough for Cerrudo.
“Oracle has a long history on not patching bugs in a timely fashion,
producing flawed patches and not caring much about security,” Cerrudo said.
“Nothing has changed. Oracle continues doing the same and someone has to do
something about that. We are talking about a multi-million dollar company
and securing its products should be a must.”