"Invincible" Oracle not so secure

Oracle is coming under increasing fire for its repeated claims that its software platform is "unbreakable" and able to withstand the best efforts of any hacker.

silicon.com has spoken to two IT security firms in the last week that have found vulnerabilities in Oracle's flagship software and said the database giant is currently working on patches.

Oracle's decision to use the "unhackable" guarantee as its marketing mantra has surprised many. Privately the company's techies are thought to be upset by the stance which has made the company's software a chief target for the hacking community.

Larry Ellison, CEO of Oracle, kicked off the new campaign last week at US trade show Comdex, where he said the database had so far evaded all attempts to hack it.

This week the company has been taking out front page adverts in the Financial Times offering users the chance to make their Microsoft applications "unbreakable" by running them on the Oracle application server platform.

Ian Peacock, security consultant for penetration testing company Defcom, said: "This is bad, because if IT directors or company directors believe this then they might think they don't need to employ IT security as long as they have Oracle.

"One of the biggest problems the industry faces is a lack of security awareness. This is just trying to build on ignorance."

Last month Defcom highlighted a serious buffer overflow vulnerability in Oracle's 9i application server.

Peacock said there were also well known denial of service vulnerabilities in Oracle systems.

Security consultancy PenTest also said it has discovered vulnerabilities in Oracle's application suite, and added it is currently working with database company to resolve those flaws.

John Denneny, MD of PenTest, said: "There are vulnerabilities in Oracle's applications, and by saying this Oracle is just making itself into a target. We know customers want their Oracle suite more secure than they can currently get them."

In Oracle's defence he said the company had responded promptly to the vulnerabilities PenTest discovered and were taking the issue seriously.

Oracle has avoided hitting the headlines with security slip ups but Ellison's latest boast puts the company firmly in the spotlight.

Oracle was unable to provide a spokesperson to respond to the news.

In a written statement it said: "Oracle9i is designed to be an unbreakable infrastructure. Oracle's customers can store all their data in the industry's most secure database and the data will not be compromised... Oracle9i Database has 14 independent security certifications - 14 more than both IBM and Microsoft."