Small security firm puts spotlight on big vendor bugs

News earlier this week that Oracle was sitting on patches for 34 undisclosed vulnerabilities in its database software may have come as a surprise to some, but not to David Litchfield, the researcher who discovered the holes.

News earlier this week that Oracle was sitting on patches for 34 undisclosed vulnerabilities in its database software may have come as a surprise to some, but not to David Litchfield, the researcher who discovered the holes.

“In general, bugs are getting harder to find, but in some people’s software you don’t have to look very hard to find bugs – they just fall apart in your hands… like Oracle’s,” Litchfield said in an interview Thursday.

Software doesn’t fall apart in everyone’s hands, of course, but Litchfield and his team at Next Generation Security (NGS) Software, in Sutton, England, seem to have a knack for finding holes.

As of Thursday the security research company said that it had discovered 67 current undisclosed vulnerabilities in major vendors’ software, on top of those found in Oracle’s. The lion’s share of those exist in enterprise applications and many are remotely exploitable, NGS said. Last year the firm discovered 97 vulnerabilities, according to Litchfield, who added that it was “a slow year.”

NGS has made it its business to find holes and fixes, and claims to have delivered more security advisories than any other research firm worldwide. The company says it is not in the business of disclosing exactly where and in whose software unpatched vulnerabilities lie, as this would leave them open to exploitation by hackers.

Oracle’s database vulnerabilities surfaced when Litchfield mentioned the problems during a presentation at the Black Hat security conference in Las Vegas last week. Litchfield said he told Oracle about the vulnerabilities in January and that although the software company prepared patches two months ago, it delayed releasing them because it was in the middle of introducing a new patch distribution system. Oracle released a statement saying that it takes its security very seriously, but declined to comment further on the matter for this article.

Litchfield was highly critical of Oracle’s delay, but this is not the first time he has had a run-in with the company. Litchfield is credited with being the first researcher to discover vulnerabilities in Oracle’s 9i database software after the company launched a marketing campaign touting it as “unbreakable.”

In general, he has established the reputation of being a pro bug hunter, discovering the vulnerability of Microsoft’s SQL Server to the Slammer worm. He also found a number of crucial holes in the software maker’s Internet Information Server (IIS).

To software vendors, Litchfield could potentially be seen as either a predator, constantly seeking to discover their weaknesses, or a best friend, someone who makes them aware of their vulnerabilities before they are compromised.

But either take on the affable 28-year-old seems ill-suited. Neither exuberant do-gooder nor one clearly touched with schadenfreude, Litchfield seems to be what he says he is: a techie.

Before he turned his focus on bugs, Litchfield was interested in animals. At university he studied zoology but dropped out after seeing the 1995 movie “The Net,” in which Sandra Bullock plays a computer analyst whose identity gets “deleted.”

“I was amazed by the film and wanted to go into technology,” Litchfield said. After leaving university, Litchfield said he bought a technical study guide in a bookstore, “learned it by heart,” and took a test to become a Certified Novell Administrator. In 1997 he got his first job in IT.

Within a couple of years, he found himself working on security and decided to go into business with his older brother Mark, now 30, who shares his enthusiasm for technology. They launched Cerberus Information Security in 1999 and in 2000 it was bought by U.S. security company @stake.

In 2001 the brothers formed NGS Software and soon brought another Litchfield into the mix: Dave Litchfield Sr., who took over management of the company’s finances after retiring from the Royal Marines.

Now the Litchfield triumvirate, together with the other members of the NGS Software team, seem to have hit their stride.

The company has been contracted by Microsoft to help deliver the much-anticipated Windows XP Service Pack 2 software security update, due out this month. NGS performs most of its bug hunting for free, to bolster its reputation, in addition to selling its own security software.

It has also recently been tapped to give advanced notification of vulnerability information to the U.K.’s National Infrastructure Security Co-ordination Centre (NISCC), and for some time shared information with the U.S.’s infrastructure protection authorities.

The company is quickly growing, from a staff of around 10 last year to 26 currently, and more openings are posted on the company’s Web site. In its expansion, NGS has brought some more young and bright researchers onboard, Litchfield said, like 17-year-old Peter Winter-Smith who has discovered a number of the currently undisclosed vulnerabilities touted by the firm, and 24-year-old John Heasman.

“He’s scarily intelligent,” Litchfield said of Heasman.

NGS, like other companies in its industry, has gained momentum at a time when software vendors and technology providers are coming under increased pressure to shore up their security against a growing wave of threats.

Attacks have not only become more frequent in recent years, they have become more sophisticated as hackers become better schooled in how to exploit holes.

In the game of cat and mouse between vendors and hackers, security researchers occupy a strange space between ally and foe. For vendors, they can both reveal and protect against security holes; for hackers, they can identify targets, as well as conceal them.

But Litchfield sees NGS as ultimately being on the side of software users, trying to make their systems more secure.

“It’s getting harder to find bugs so that means we are doing our job,” Litchfield said. He added that with the recent Oracle incident aside, “most vendors are fairly speedy and deliver patches to customers when they have them ready.”

Although having fewer bugs is their ultimate goal, finding them is still the fun part of the job, Litchfield concedes.

When asked how many undisclosed vulnerabilities NGS had currently uncovered, Litchfield said “97.” Then a pause.”What was that, Mark? 98! He just found another one,” he said.

Half an hour later, Dave Sr. sent an e-mail. “Really important new news is that we now have 101 outstanding vulnerabilities,” he wrote.