Shark hunter says Ellison needs a bigger boat

jawsTop security analyst David Litchfield has returned to hunting holes in Oracle software, after a comparatively less daunting task of finding Great White Sharks, and he apparently found  Larry Ellison’s team has not improved during his time off.

Litchfield retired a few years ago from his job of creating major headaches for Oracle and went scuba diving and looking for sharks. Apparently, the sharks gig was dull in comparison to his job hunting holes in Oracle software so he returned to dry land.

Litchfield has been looking at Ellison’s new data redaction service called the Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations.

However Litchfield told the Black Hat USA conference that it is packed with trivially exploitable vulnerabilities

If Oracle had followed any sort of software development life cycle instead of just paying lip service to it, every one of these flaws would have been caught. It is kindergarten stuff, he said.

Litchfield found several methods for bypassing the data redaction service and tricking the system into returning data that should be masked.

Litchfield said that it was so simple to hack the service he did not feel right calling them exploits.

He said Oracle was still not learning he lessons that people were leaning in 2003. He said that in the space of a few minutes he could find a bunch of things that I can send to Oracle as exploitable.

The data redaction bypasses that Litchfield found have been patched, but he said he recently sent Oracle a critical flaw that enables a user gain control of the database. That flaw is not patched yet but is coming.