Oracle CSO To Customers: Leave The Vulnerabilities To Us

[Mary Ann Davidson], chief security officer of Oracle, is having a bad Tuesday. The internet has been alight these past few hours over a blog post published and quickly taken down from oracle’s servers. (archive) We’re not 100% sure the whole thing isn’t a hack of some sort. Based on [Mary’s] previous writing though, it seems to be legit.

The TL;DR version of Mary’s post is that she’s sick and tired of customers reverse engineering Oracle’s code in an attempt to find security vulnerabilities. Doing so is a clear violation of Oracle’s license agreement. Beyond the message, the tone of the blog says a lot. This is the same sort of policy we’re seeing on the hardware side from companies like John Deere and Sony. Folks like [Cory Doctorow] and the EFF are doing all they can to fight it. We have to say that we do agree with [Mary] on one point: Operators should make sure their systems are locked down with the latest software versions, updates, and patches before doing anything else.

[Mary] states that “Bug bounties are the new boy band”, that they simply don’t make sense from a business standpoint. Only 3% of Oracles vulnerabilities came from security researchers. The rest come from internal company testing. The fact that Oracle doesn’t have a bug bounty program might have something to do with that. [Mary] need not worry. Bug Bounty or not, she’s placed her company squarely in the cross-hairs of plenty of hackers out there – white hat and black alike.

60 thoughts on “Oracle CSO To Customers: Leave The Vulnerabilities To Us

  1. Oracle’s been tone-deaf to customers for the better part of fifteen years. That their RDBMS product sees very wide adoption has absolutely nothing to do with its suitability as a datastore and everything to do with rabid and zealous certification programs which were marketed heavily in the 90’s.
    It’s slow, it’s expensive, it enables stupid people to do stupid things more easily than smart people doing clever things.
    That the RDBMS product doesn’t see many CVEs is because patient and knowledgeable sysadmins lock down systems *around* the DB.

    1. The posession of MySQL doesn’t help matters any.

      After Oracle got caught with the whole kickback thing in government circles some time ago, a number of agencies quietly switched to MySQL to add another layer between themselves and Oracle as well as champion themselves as part of the Open Source movement.

      The money still flows to Oracle, Oracle still act like an ass, and the developers still can’t build a half decent database.

  2. So there advise is that no one on the planet should look for problems, just Oracle and Blackhats. Any respect for Oracle that I may have had in the past is evaporating very quickly at this moment, as my blood starts to boil.

    1. Respect for Oracle? As a business success certainly, but it was always promise the Moon, get em on a contract, deliver buggy incomplete software and lots of “we are working on it”. Get some really big customers in to so deep they have no choice and off to the sailboat races! If Ford uses it it must be good. If Prudentail uses it it must be good. A lot like MS and IBM PC in that way. “Nobody ever got fired for buying IBM”.

  3. Oracle is great in maintaining security in it’s products most notably java. (does not need /s I think)
    If looking for security is a violation of the license agreement this will make the amount of known bugs even lower.
    Perhaps it is not “the new boyband” but “new reality in highly complex software in a highly connected world”.

  4. Well excuse for looking under the hood to check why/how/if something is working. My sincerest apologies, I forgot my place. I forgot that customers are a retarded bunch of monkeys that only do random things for the malicious purpose of annoying our Great and Benevolent Corporate Overlords (and drool vigorously over keyboards). Henceforth I will most assuredly just assume that no incompetence, let alone malice is shipped into the final product that I am buying for a ton of money. If the Company says its perfect than who am I to judge?

  5. In her defense, she does have one more fair point: Most vulnerabilities found are false positives anyway. Therefore, the reporter should look through the vulnerability report, eliminate false positives, make a proof of concept if possible, etc.

    That said, if she had rephrased the whole article as “don’t just email us insanely long reports, don’t report false positives, do it properly if you really found a vulnerability, most of the time it’s going to be a false positive anyway – oh and by the way, don’t violate the license agreement”, it would have sounded a lot better.

    1. Was about to post almost the same thing. However, that one good point was mixed in with page after page of displaying her startlingly bad attitude toward security and blathering on about how Oracle’s EULA is everyone’s god now.

      She seemed to be much more upset about people having the audacity to desecrate Oracle’s all-important license agreement and put Oracle’s software under any scrutiny than people sending in useless vulnerability reports.

      1. Exactly. And this attitude of “don’t put our software under any scrutiny, we are very good at it ourselves” sounds a bit ironic when 10% of your security vulnerabilities are found by customers (87% by Oracle, 3% by security researchers, and “the rest” by customers).

        1. I don’t even know why Oracle’s discoveries are included? If there is an internal reward system for finding bugs, people could collaborate and hide a bug, and have a conspirator discover it.
          Also how do they define a vulnerability discovered by Oracle? averting a mistake in the design phase counts already?

          It is hard to define what an Oracle discovered vulnerability is. Do vulnerabilities discovered at the blackboard count? Is there an internal reward system that could have a perverse incentive of placing and discovering vulns (by having conspirators detect each other’s vulns)? Fixing a vulnerability, then accidentally reintroducing it, and then fixing it again counts as 1 or 2?

          The only numbers that objectively matter from an economic signal standpoint are that:
          * 3/13 Oracle-recognized vulns were found by security researchers NOT HIRED by customers
          * 10/13 Oracle-recognized vulns were found by security researchers HIRED by customers.

          In ignoring their customers demands for better security she is clearly testing her odds of staying in her position methinks.

    2. Really, it seems mostly bad wording and poor focus.
      If you’ve ever tried to stop a stream of bad bug reports with a similar cause, you can identify.
      Should she have focused on “don’t violate our agreement, don’t do research”? Probably not, but if that’s unacceptable, there are alternatives to Oracle.

      If it were coming from a point of “Better value for your security money by doing this stuff first” or “How to test Oracle, step 1: Secure your stuff”, or even “Here’s how WE secure our stuff (it’s our job BTW)” it probably would read a little better.

        1. being just a person is very rarely an excuse, i am not saying she cant have a bad day, but if your bad day has a chance at severely impacting performance then one should take that into account as one goes through the day.

  6. One of the frustations she is facing is that there are sham security consultants going around, performing expensive security analysis on oracle products on behalf of oracle customers. They then present their customer with a binder of issues. The customer then presents this very expensive binder to oracle where oracle says, “thanks, I’ll put this in the huge stack of identical binders from the same consulting company”.

    Of course, she then goes to attack the completely wrong problem. Does any company actually believe that any part of their code is so valuable that someone would go through the trouble to reverse engineer the source code and use that as a basis for a competing product? I hate dealing with companies that view not only their source, but their compiled code as something that others want to have any part of. It’s junk. Had to reverse engineered a fair number of drivers for hardware because of this attitude (looking at you Eurotech).

  7. If 3% of their vulnerability discoveries come from outside researchers, back of the envelope suggests that 1-2% of their security budget could profitably be spent on a bounty program. And if 1-2% of their security budget is not enough to run a bounty program they have other problems.

    1. Surprising isn’t it. Oracle is one of the most unfriendly and expensive companies out there, and they don’t like you virtualizing anything either.

      So everyone pays through the nose, and then they’re annoyed when you’re trying to not get your name in the paper due to lost data. Sounds like a company I’d like to do business with… =P

      1. Presumably they don’t mind you virtualizing your workstations, seeing as how they still host VirtualBox (Innotek -> Sun -> Oracle.) Version 5 was released last month. I’ve not played with the new version yet, but I’ve used VirtualBox quite a bit in the past. It usually does the job.

        1. You should read the VirtualBox license agreement: it’s TERRIFYING.

          Something along the lines of ‘if you’re using this product to help you make money, don’t you think you should pay us?’

  8. Stop looking for vulnerabilities! If you stop looking, they will not be found, hence they do not exist!

    Also, Microsoft, stop looking for license compliance. If you stop looking, you won’t find any pirates, and hence they do not exist.

    Stop looking for tax evaders, if you stop looking, you will not find any, hence they do not exist.

    Also, stop checking for car crash safety, if you stop looking for safety problems, they will not be found, and hence do not exist.

    1. Yes, she should stop looking in her mail for vulnerability reports, if she would just stop looking, she won’t find any reports and hence they do not exist.

      She might also stop looking at her tasks on her schedule for the day, if she stops looking, she won’t find any tasks, and hence they do not exist.

      If she keeps going down this path, she might as well stop looking for her car and house keys, if she stops looking, she won’t find any, and hence her car and house will no longer exist :)

  9. I think it’s about outside sources discovering deliberate backdoors in their offerings.

    And frankly when you look at oracle’s documentation on what half the updates add to Java you might be better off working with an old version. Because DRM support and phone-home stuff for instance is not everybody’s cup of tea.

  10. (87% by Oracle, 3% by security researchers, and “the rest” by customers).

    Break-Down of Percentages:
    Oracle – 87%
    Customers – 10%
    Researches – 3%
    Total – 87+10+3=100%

    Question: 100% of out what?
    It sounds to me Like Mary and Oracle are fudging these numbers.
    Like saying 50% of people like something ( 1 out of 2 people)

    Furthermore,
    If they are telling people not to go looking for them….then they
    are openly admitting that they have known vulnerabilities or there are things in the
    code that they don’t want you to know about — like spying or data collection, etc.

    In conclusion….they have got something to hide.

  11. Bug bounties are the new boy band?

    New?

    Shall we go back a few years^h^h^h^h^hdecades to the bounties for _The_Art_Of+Computer_Programming_? Nothing new about bug bounties, and nothing new about the arrogance of “no one else is qualified to understand our product”.

    I also have issues with the recent (since the DMCA, but especially the last five years or so) trend of interpretting copyright as equivalent to the war secrets act. Not even DMCA makes copyrighted material secret. I will not get into the issues with prior restraint on circumvention.

    1. I poked holes into small scripts that people thought were foolproof and they could easily oversee.
      In other words it’s known as near impossible to release anything 100% secure and without some hole somewhere. (Although sometimes it takes decades to find the flaw.)

      1. Unfortunately, in today’s doctrine of “push to release for market share – patch later(maybe)”, it is happening more and more often, with greater and greater consequences. Of course nothing is ever going to be 100% perfect nothing ever is. But there is such a thing as due diligence and when you threaten people that point out flaws to you with legal action, that is not due diligence. That is obfuscation.

        1. True enough.

          And then there’s the constant adding large chunks of perhaps not-so-needed functions. that then again are likely to have a whole new set of holes. Although Adobe probably will remain the master of that behavior…

  12. >Only 3% of Oracles vulnerabilities came from security researchers. The rest come from internal company testing

    But do internal company testers have to reverse engineer the code? or do they just jump the first hurdle by looking up the source code. That’s like saying “our safe crackers we’re able to open 10/10 unlocked safes”

  13. This bugtraq post (http://seclists.org/bugtraq/2005/Oct/56) is indicative of Oracle’s attitude to security: a Proof of Concept SQL string had a space in it (unrelated to the actual vulnerability), so they “fixed” the code by ignoring spaces in that location. The exploit still worked perfectly well after a slight tweak.

    Don’t believe their denials about the post not representing Oracle. Oracle are pushing to make reverse engineering illegal.

    Also check out #OracleFanFic on twitter, e.g. @send9
    [+] Building exploit string…
    [+] Executing shellcode…
    [!] Exploit failed due to EULA violation!

  14. The solution is simple. If you are swamped with vulnerability reports, put more people on them. Larry Ellison has change enough in his pockets to personally finance those people. Or he can fire some high-up managers and free money that way. We all know that these managers got there because of their contacts anyway. They are ‘nice to work with’ for the other high-up managers, and that’s why they are in their place. Not because of being particularly good managers.

  15. BTW it’s a bit deceitful to claim “93% of bugs are found in-house” because obviously as you code you will find a bug and fix it, thus ALL companies and ANY organization that has coders have 95% of total bugs found and fixed in-house..
    So the whole thing is doublespeak meant to fool people

    And ironically the more inept your coders are the more they make mistakes that they have to fix before release, so the higher the percentage becomes :)

    1. Yes, but 95% of what? For any customer bug report they could file 999 internal bug reports and claim they fix 99.9% of bugs in house. They are neither needed to disclose the number of their bugs, or customer bugs, so they can inflate these numbers at will and say the percentage they like.

      1. True….how about this 90% of bugs meaning 9 bugs out of a total or 10…hence why I said (in an earlier comment) that they are probably fudging (or using fuzz math) those statistics.

  16. This, on top of their arrogance about the Java API’s (their lawsuit against Google/Android) is one reason I’m glad I write software in C/C++ and C#; no chance of them accusing me of reverse engineering their software to the detriment of the Oracle bottom line.

  17. Archive of the full post is here.
    http://seclists.org/isn/2015/Aug/4

    I think the point she was trying to make – but somewhat failed and with an air of arrogance/frustration – is that customers/security consultants running the token community security analysis tools are unlikely to discover something new that Oracle has not already discovered themselves internally as part of continuous integration triggered tooling (using identical tooling – plus more) and either corrected or marked as false-positive.

    In addition to the standard 3rd party vendor tools (things like Fortify etc) and community security tools, Oracle incorporated static and dynamic tooling from its research arm in 2012; check the publications associated with this link and decide for yourself whether security is being treated seriously
    https://labs.oracle.com/pls/apex/f?p=labs:bio:0:21

  18. I’m not a software hacker, more the hardware guy, but to me her blog post doesn’t sound bad at all. I can understand that she doesn’t want to be bothered with useless reposts. I have the feeling there is quite a bit of a questioable “security consulting” market that lives of fear. If my company ressources were wasted by something like this, I’d also be pissed. If I imagine somebody taking my devices apart and telling my about supposed flaws in them without being able to properly understand the circuit… Not a nice image.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.