While details of the flaws have not been made public, David Litchfield, managing director of security software firm Next-Generation Security Software, gave some general information about the issues at the Black Hat Security Briefings in Las Vegas last week.
"Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better," the company said in a statement sent to ZDNet UK sister site CNET News.com. "Oracle has fixed the issues ... and will issue a security alert soon."
While information about the database flaws was to be released last week, the lack of patches convinced the security researcher to hold off. Litchfield first notified the software company of the problems -- some of which he ranked as critical -- in January.
Litchfield said on Tuesday that although he has repeatedly pointed out the flaws in its database software, Oracle has yet to issue any patches due to an ongoing shift in its corporate policies for releasing such information. The bug hunter added that by waiting to issue the security fixes, the company put itself before its customers.
"There are a whole range of issues," he said. "They're effectively leaving their customers exposed to unnecessary risks, and I think they're being a bit short-sighted by sitting on these patches for months."
Oracle released a patch for a critical flaw in the company's Oracle 11i E-Business Suite in June.
While Litchfield refused to elaborate in detail on the problems in the software, which he fears would allow hackers to rapidly launch attacks against Oracle's customers, he said the problems range from large to small, encompassing everything from so-called buffer and heap overflow issues to poorly protected passwords. In some cases, he said people without any username or password information could gain access to the Oracle systems, while in other cases individuals with only limited access permissions could covertly upgrade their status to database administrator levels.
Litchfield said he first began actively looking for holes in Oracle's software two years ago when the company launched its "unbreakable" marketing campaign, which touted the security strengths of its database software. With the help of several colleagues, Litchfield claims he found close to 50 flaws in the vendor's database programs in less than 24 hours.
"It was probably unwise for Oracle to advertise itself as unbreakable, and I know it raised some eyebrows even within the company," he said. "But marketing doesn't necessarily consult the developers when it builds its message for the public, and I think even now they'd admit that the claim really only speaks to Oracle's dedication to improving security in its products."
Litchfield points out that anyone who takes the time to peruse the company's listings of its previous security patches can figure out for themselves how vulnerable the company's products have been. However, the security expert said that Oracle is no more culpable of trying to hide that reality than many of its competitors, including Microsoft, IBM and others.
Litchfield said that Oracle may want to take a page from Microsoft's book in terms of improving the company's overall approach to patching holes in its software.
"Microsoft has traditionally been a big target, and they've suffered publicly because of that," he said. "But Microsoft has adopted better internal processes to address the problem, and they've now advanced past the rest of the market in terms of their ability to respond to new issues."
Talkback
And while they're at it, can they please add a flag to indiate NULL<>''. The stupid Oracle behaviour of treating blank strings as NULL breaks Codd's laws of relational databases, and makes life a headache when creating cross database solutions.