Security Researcher Says Oracle Slow to Fix Flaw

Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

A Cultural Thing?

[ackthpt]

[...] Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit.

Oracle borrowing from the Microsoft Security-Fixing Playbook?

"we'll get around to it when we get around to it and not a moment sooner"

Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

Oracle borrowing Microsoft's tactics? What next, alerting Department of Homeland Security?

Litchfield is al qaeda, you betcha!

Honestly we can't blame this tactic on Microsoft, though they have been highly visible in this regard, due to their high volume of security flaws. It's almost as bad as a bunch of automaker executives running away from a flaming car and blaming it on Ralph Nader.

that flaming car, ralph's fault, he's al-qaeda, too.

Small wonder people have no problem at all in buying imported products and services considering the culture of ass-covering in the United States. Remember when american made goods were the best in the world? Seems a distant memory now.

prepare a statement to the media which blames others for the problem, distances us from it and doesn't harm our stock value, oh and discontinue our practice of sending out new versions/models for review, tell everyone they just have to trust us that everything is fine and not very many people died horrible flaming death during testing of the software and/or new car model

Re:Really a problem?

[GrenDel+Fuego]

What if they CANT fix the problem immediately.

If they can't fix it immediately, then they should let him know WHEN they're going to fix it. David announced this because he was expecting a fix in the January update, and it was not there.

On top of this, for the past few months he's been complaining about the fact that some of the vulnerabilities he has told Oracle about have gone unpatched for 2+ years. He has already tried the "responsible disclosure" route with Oracle. They're just not being responsive.

I think that his announcement and others like it will be the only way to get Oracle to respond. I'm just worried about what this means for the next X months.

ever heard of regression testing?

[bobalu]

I mean, gee, it's not like they have to test it on a huge number of platforms or anything right? Much better to rapidly fix the bug and then break a bunch of running code, bringing large businesses down to their knees.

Yes, the bug puts their customers at risk, but detailing the exploit for everyone to see REALLY DOES HELP THE BAD GUYS. Otherwise they have to figure it out for themselves, which is quite a bit harder.