Slashdot Mirror
Security Researcher Says Oracle Slow to Fix Flaw
Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"
What if they CANT fix the problem immediately.
I am a programmer and when I find bugs in my code "pre-release" I find it benefitial. However, some of the bugs I have to spend a substantial amount of time debugging to finally find a fix.
With the code as large as Oracle's code is.. it could take an extremely long time.
This is unfortunate.
Windows? I haven't used that since 1999. Fix the Slashdot Problems
Litchfield is putting Oracle's customers at risk? I don't think so. Oracle put their customers at risk, Litchfield merely told those customers they were at risk and in what way. He gave Oracle 3 months to either fix the problem or inform their customers, Oracle did neither, I'd say the problem's all of Oracle's making. If they'd placed their customer's security over their own PR in a reasonable timeframe, Litchfield wouldn't have had to embarrass them this way.
Another example of why "reasonable disclosure" doesn't work well.