After two 'Hole Months', now a 'Hole Week'
There now appears to be a trend among security analysts to declare a motto for a specific time frame. Following in the footsteps of July's Month of Browser Bugs (MoBB) and this month's Month of Kernel Bugs (MoKB), a Week of Oracle Database Bugs (WoODB) has now been announced for early December. The initiator this time is Argeniss, a company run by Argentinean security specialist Cesar Cerrudo.
The WoODB will entail the publicising of one hole per day for which software maker Oracle has not yet released a patch. A small FAQ included with the announcement explains the motivation behind the event and why there is no Month of Oracle Database Bugs: while there are in fact enough security holes in Oracle to make an entire Year of Oracle Database Bugs, the FAQ claims, a week seems sufficient to make the point that Oracle is still not distributing safe products or delivering timely security updates. Oracle was selected because the company is currently number one among database providers. The week could just have easily been dedicated to the many holes in products from other manufacturers.
Not everyone is amused by the announcement. Alexander Kornbrust, a database safety expert at Red-Database-Security, criticises that the publication of holes and exploits in this manner does nothing to improve security. While it does provide a way to draw the attention of IT security officials to the problems, it seems unlikely that patches for the holes will be released prior to April 2007 – unless they happen to be included in Oracle's January batch of patch releases. Other database specialists like David Litchfield publish details on database holes only once three months have passed from the release of relevant updates. Kornbrust also rejects the basic premise of the WoODB: Oracle demonstrably improved their security in 2006, he feels.
- The Week of Oracle Database Bugs, announcement by Argeniss