Tuesday, November 21, 2006

Week of Day-0 bugs...Argeniss - Thumbs Down

Argeniss Information Security has announced on their website that they planned to release a Day-zero Oracle bug per day for a whole week in December. Their reasoning was that "We have 0days for all Database software vendors but Oracle is "The #1 Star" when talking about lots of unpatched vulnerabilities and not caring about security."

Now I don't agree with Argeniss as I see Oracle being serious about fixing their security flaws and also committed to training their developers in terms of writing secured code. Argeniss' actions are irresponsible and actually put Oracle's customers at risk. Argeniss has nothing to be "proud" of as you got to remember that this is a company who is willing to sell their zero day exploits for $2,500.

I don't know what dealings Argeniss or Cesar Cerrudo have had with Oracle but this is definitely not the right way to approach the security issues with the Oracle software. A lot of organizations will not be able to do anything to fix these flaws and the only approach is to have their firewall defenses configured to ensure that authorized and legit traffic are passthrough if that is even possible or doable. In the meanwhile, I can only wait to see what kind of information Argeniss will release and assess whether there is enough information (directly or indirectly) that would provide a hacker to do an exploit.

I wonder if it is shown that a hacker is able to hack in through the Oracle software as a result of Argeniss disclosing crucial information about the exploit used by the hacker, that the organizations affected could seek damages and compensation from Argeniss? Maybe something for the legal minds out there to ponder.


Bill said...


I'd guess that Argeniss in all probability could be liable as an accessory IF the information they provide isn't public knowledge or publicly accessible.
Either case, I agree with you - it is not right.

Bill S.

Peter K said...

Nice to hear from you again. Trust that things are going well with you.

I am sure that Argeniss has their reasons but I can't for the life of me justify exposing Oracle customers at greater risk than they are.

Sachin said...

Hi peter,

I deleted that entry in my blog (http://oracle-online-help.blogspot.com/).

Btw - i read that from somewhere else and thought this could help others. but i understand your point.