Breakable
March 2001
An Oracle advertisement emailed to InfoWorld subscribers typifies the software company's newest marketing campaign. It begins with the unsettling assertion that annual computer security incidents have increased ten-fold since 1997, then lists the ways that the company's database products can defend the reader against hackers. The ad ends with a now-familiar claim, "Oracle9i. Unbreakable. Can't break it. Can't break in."If the marketing message suffers from one flaw, it is this: It isn't exactly true. In December, U.K. security researcher David Litchfield revealed that a common programming error -- a buffer overflow -- was present in Oracle's application server, potentially allowing hackers to gain remote access to the system over the Internet. PenTest Limited and eEye Digital Security followed up with advisories of their own on less severe holes. Fixes are available for all three bugs on the Oracle Web site, but the damage to the company's "unbreakable" messaging isn't as easily patched.
"If to them 'unbreakable' doesn't even mean they eliminate buffer overflows, how can it possibly mean they've secured the hard stuff?," says Bruce Schneier, founder and CTO of Counterpane Internet Security. "Fixing buffer overflows is the price of admission."
Making matters worse for Oracle, it turns out that those holes were little more than a prelude to a suite of at least seven vulnerabilities currently in the company's patch pipeline -- all of them discovered by Litchfield last fall. Assuming fixes are available in time, Litchfield plans to present the holes at a security conference in early February, including details of serious bugs that allow attackers to both "break it" and "break in."
While Oracle's vulnerabilities are no greater in number or severity than those found in other major software products, some experts charge that the steady stream of security holes transforms "unbreakable" from a harmless marketing gimmick into a potentially dangerous misstatement.
Source...
