Saturday, July 30, 2005

Security Flaws and publication of flaws.

Recently Oracle released its latest Critical Patch Update (CPU) on July 12th and Oracle Security researcher Alexander Kornbrust did his analysis and has a number of comments on his site

Alex actually posted some critical commentary on Oracle's failure to fix flaws as old as two plus years! One of the things that he did was to release "details" of the flaws in order to force Oracle to provide a fix. This is something that is becoming more and more common as we heads towards a "zero-day" exploits. There are a whole bunch of arguements and counter-arguements against releasing information of flaws that vendors have not provided a fix for. Some says that by knowing about the flaws, customers can pressure the vendors to provide fixes quicker. Some says that it would point hackers (black hats) in the right direction and allow them to exploit the flaws before a vendor could come up with a fix.

Normally an announcement about a flaw is published after the vendor has provided a fix and this could take months (see Oracle's Mary-Ann Davidson's
article in news.com).

One of the latest high-profile incident involved Michael Lynn (formerly of ISS) who exposes Cisco's flaws in IOS at the recent Black Hat conference.

So, what do you think? Me, I am just interested in ensuring that my employer's systems are secured and am interested in getting the vendors to not just provide security fixes but also do a better job of designing quality systems. It is inevitable that systems will be broken into, all we can do is secure our systems so that the less-than-sophiscated hackers will move on to other more vulnerable systems. What I also like to see from vendors like Oracle, is a tool that we (the customers) can utilized to ensure that patches are applied and that the flaws are closed.

No comments: