Litchfield's Last Hurrah

Yesterday was David Litchfield's last day at NGS Software, and he commemorated the milestone by dropping a zero-day vulnerability in Oracle's 11g database at Black Hat DC. He also surprised the audience -- and possibly himself -- by awarding Oracle a "B+" final grade for security in 11g, after nearly 10 years of keeping Oracle on its toes by calling out vulnerabilities in its database technology.

Dark Reading logo in a gray background | Dark Reading

Yesterday was David Litchfield's last day at NGS Software, and he commemorated the milestone by dropping a zero-day vulnerability in Oracle's 11g database at Black Hat DC. He also surprised the audience -- and possibly himself -- by awarding Oracle a "B+" final grade for security in 11g, after nearly 10 years of keeping Oracle on its toes by calling out vulnerabilities in its database technology."[I've] been bashing heads since Larry Ellison said [Oracle's database] was 'unbreakable.' It was like waving a red flag to a bull," Litchfield quipped during his presentation at Black Hat DC yesterday on his latest research.

It's unclear where Litchfield will go from here now that he has retired from NGS -- he wouldn't commit publicly on his official plans, except to say he's taking some time off and plans to do some diving. It's hard to imagine this, indeed, is the last we'll see of his groundbreaking database security research days. But, somehow, it feels like the end of an era.

Litchfield said even with the latest flaw he discovered, Oracle's 11g is "vastly superior" security-wise compared to its software two years ago, mostly thanks to the security tools Oracle now runs to check for flaws. But Oracle actually relies too heavily on security tools to catch problems in its code before the products ship, he said. "They use tools too much as the goalkeeper" to make the save, Litchfield said, which doesn't always work.

"They don't need to go back to the drawing board -- they just need to tweak it," he said.

Overall, Oracle's bug count is down 35 percent since the 10gR2 release, Litchfield said, and the severity of vulnerabilities has also declined -- all good news. But he demonstrated an attack exploiting an unpatched flaw he discovered in 11g that lets a low-privilege user grant himself the ability to execute operating system commands and files. "We just made him the administrator," Litchfield said during the demo.

A parting shot: The latest 11g flaws he found could have been discovered much earlier by Oracle (during the software requirements or design phases) had Oracle used a secure software development life cycle program, he said.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights