A Patch Is Not Always a Patch

Slide Show

An Epidemic of Security Worst Practices

The general rule, when a company releases a patch, is that you should apply it immediately in order to fix vulnerabilities. But sometimes a patch is not actually a patch; it is a configuration workaround.


That's what Oracle released earlier this week. According to Qualys, this patch is for the CVE-2012-1675 vulnerability and addresses a zero-day named "TNS Poison," which allows an attacker to perform a man-in-the-middle attack by registering an additional database instance in the TNS listener. As Wolfgang Kandek said in his blog post:

The vulnerability is in the TNS listener part of the Oracle database server and allows an attacker to perform a man-in-the-middle attack by registering an additional database instance in the TNS listener. The listener will then start load-balancing traffic to the new instance. This allows the attacker to receive the database transactions, record them and forward them to the original database. The attacker can potentially modify the transactions and execute commands on the original database server.

The concern here is Oracle's approach to fixing the vulnerability by using the workaround rather than developing an actual patch. Ericka Chickowski at Dark Reading pointed out that this is just one of a number of Oracle's failures at better customer service, particularly with its database applications. As Josh Shaul from Application Security's TeamSHATTER told me:

These are the systems we unknowingly rely on for so many of the details in our daily lives, from the bank machine to the toll booth through the office turnstile, and almost everywhere online. The fact that they have known vulnerabilities in them for sometimes years without a fix becoming available is disconcerting-but it's a reality that we need to address head on. If you're responsible for the security of databases or other systems that house vast amounts of sensitive data, be aware that an attacker may be able to exploit one of these unpublished holes and get access to your information.

Why has Oracle failed - or at least frustrated countless numbers of security experts - when it comes to prompt and effective patches for its databases and other software applications? Shaul thinks that the customers need to be more vocal about better service when it comes to fixing holes:

If the corporations that spend millions of dollars on database software demanded more transparency and better responsiveness to vulnerability reports, they would get it. Until then, Oracle and others are free to fix issues in any order and timeframe that they choose.

Not happy with this particular fix? Maybe it is time that customers let their concerns be known. In any case, TeamSHATTER did provide the follow info regarding the Oracle fix:


1. This is NOT a patch, it is a detailed level step-by-step set of instructions for the workaround.


2. Oracle had to change its licensing model overnight to actually allow customers to gain access to this workaround, which was previously the "Advanced Security" paid premium feature.


3. Oracle knew about this vulnerability for FOUR years and still has yet to fix it It appears evident that the company had no plans to do anything until this action. How many other major vulnerabilities exist that aren't being taken care of? You can bet this isn't the only one.


4.Oracle continues to water down CVSS scores and has this critical vulnerability listed as a 7.5, whereas non-Oracle security researchers are listing this as the highest CVSS score possible, 10.0.