Security Researcher Says Oracle Slow to Fix Flaw

Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

A Cultural Thing?

[ackthpt]

[...] Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit.

Oracle borrowing from the Microsoft Security-Fixing Playbook?

"we'll get around to it when we get around to it and not a moment sooner"

Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

Oracle borrowing Microsoft's tactics? What next, alerting Department of Homeland Security?

Litchfield is al qaeda, you betcha!

Honestly we can't blame this tactic on Microsoft, though they have been highly visible in this regard, due to their high volume of security flaws. It's almost as bad as a bunch of automaker executives running away from a flaming car and blaming it on Ralph Nader.

that flaming car, ralph's fault, he's al-qaeda, too.

Small wonder people have no problem at all in buying imported products and services considering the culture of ass-covering in the United States. Remember when american made goods were the best in the world? Seems a distant memory now.

prepare a statement to the media which blames others for the problem, distances us from it and doesn't harm our stock value, oh and discontinue our practice of sending out new versions/models for review, tell everyone they just have to trust us that everything is fine and not very many people died horrible flaming death during testing of the software and/or new car model

Re:A Cultural Thing?

[ackthpt]

Remember when american made goods were the best in the world?

I'm only 34, so, no.

Not actually that long ago for many things. I've still got a set of sockets, one of which withstood 175 ft/lbs of torque to remove a stubborn headbolt on an AMC 360 V8 (the engine was wrecked by a dropped valve and shattered piston, but in the sort of grim fascination engineering types hold for such things, we just had to take it apart to see the carnage). Two taiwanese sockets (lifetime guarantee!) split at about 90 ft/lbs.

Friends returning from being stationed in Korea were fascinated by the locals affinity for american made toasters, pans, etc, which servicemen and their families had taken with them but chose not to haul back home. Seems the koreans prefered these goods as they were far more durable than anything they could find in their markets. Ok, that was probably 10 years ago or so, but you weren't living under a mushroom at that time, were you?

Re:Really a problem?

[Todd+Knarr]

If Oracle can't fix the problem in 3 months, at least they could inform their own customers so they could take protective measures of their own. That Oracle could do inside of 3 months no matter how complex the bug is to finally fix.

Re:Really a problem?

[GrenDel+Fuego]

What if they CANT fix the problem immediately.

If they can't fix it immediately, then they should let him know WHEN they're going to fix it. David announced this because he was expecting a fix in the January update, and it was not there.

On top of this, for the past few months he's been complaining about the fact that some of the vulnerabilities he has told Oracle about have gone unpatched for 2+ years. He has already tried the "responsible disclosure" route with Oracle. They're just not being responsive.

I think that his announcement and others like it will be the only way to get Oracle to respond. I'm just worried about what this means for the next X months.

ever heard of regression testing?

[bobalu]

I mean, gee, it's not like they have to test it on a huge number of platforms or anything right? Much better to rapidly fix the bug and then break a bunch of running code, bringing large businesses down to their knees.

Yes, the bug puts their customers at risk, but detailing the exploit for everyone to see REALLY DOES HELP THE BAD GUYS. Otherwise they have to figure it out for themselves, which is quite a bit harder.

Re:Really a problem?

[hackstraw]

If Oracle can't fix the problem in 3 months, at least they could inform their own customers so they could take protective measures of their own. That Oracle could do inside of 3 months no matter how complex the bug is to finally fix.

I admin an Oracle database, and I am not a fan (I am also NOT a DBA, its just a small part of my job for bioinformatics research). With the latest worms and whatever security announcements, it seems as a registered and paying metalink member, I should quickly and easily download the latest patches off of their site.

Well, last Friday, I gave up on finding the patches after 20 minutes of searching for them. I sent a problem report asking them what year their calendar said, because mine says 2006. That is ridiculous.

I've always been under the assumption that all databases are insecure, and should be firewalled off and remotely accessed from a trusted machine over a private network. That seems to be the best thing to do.