Tech Watch | InfoWorld Staff » Week of Oracle zero-days planned

November 20, 2006 | Comments: (0)

Week of Oracle zero-days planned

TAGS: Security

Database security researcher Cesar Cerrudo is taking a page out of the MetaSploit Project playbook, annoucing that his company, Argeniss Information Security, will publish a previously unknown (zero-day) vulnerability for Oracle databases each day for the first week in December, according to a message posted on the Argeniss Web site.

The exact date hasn't been set yet, but Cerrudo says December 4 is the likely kick-off date. As to "Why"? "We want to show the current state of Oracle software ("in") security also we want to demonstrate Oracle isn't getting any better at securing its products (you already know the history: two years or more to fix a bug, not fixing bugs, failing to fix bugs, lying about security efforts, etc, etc, etc.)."

Argeniss is following in the footsteps of H.D. Moore, who said in July that he would release a new, zero-day Web browser bug each day that month. Another project, the "Month of Kernel Bugs" was launched in November by a researcher who uses the handle "LMH."

Cerrudo told Tech Watch that his company knows of around 75 unpatched Oracle vulnerabilities and could easily muster a month of them, but that the week should be enough to send the message to the company and force them to "start fixing vulnerabilities and improving security because Oracle customer swill realize of (sp) the threats they are currently facing."

As for aiding and abetting cybercriminals, Cerrudo said that his company won't release anything that doesn't require users to authenticate, and that criminals may already know about many of the 0days his company will post. "It's not a big deal to find zero-days in Oracle software," he said.

Posted by Paul Roberts on November 20, 2006 01:33 PM

RATE THIS ARTICLE: