Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Says Oracle Slow to Fix Flaw

Posted by Zonk on from the get-to-work-you-slackers dept.

Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"

1 of 91 comments (clear)

  1. people need to be realistic by SethJohnson · · Score: 0, Troll

    Why doesn't Oracle just acknowledge the problem and then fix it?

    Oracle's DB products are unbelievably complex pieces of code which support tens of thousands of dependencies from other pieces of code, many of which weren't even created by Oracle. It's not as simple as, "Hey. Let's throw this patch out on our website and tell everyone to install it."

    This dude shows up with some kind of exploit and then has the gall to dictate to Oracle what their bugfix release schedule should be?!? That's a real narrow view of the situation. Not only are they having to design a fix for the exploit in the current version, but they have to ensure it doesn't conflict with their future versions currently in development. And then they have to do regression testing to ensure it doesn't break dependencies. And then they gotta give it out to their customers who will also be running the same kind of regression tests before they deploy the patch to their live servers.

    As an Oracle customer, I'd prefer that they release cumulative fixes on an established schedule rather than ring a Defcon 1 alarm whenever someone finds a bug that may not even impact my installation. Releasing patches as one-off fixes causes more headache for the customer in repetitive testing. As it is, Oracle publishes bugfixes quarterly, and they probably didn't have time to fit this fix into their testing matrix, etc. by the time they were notified of the problem. They also probably evaluated the bug and determined it didn't pose that much of a risk.

    I'm not saying Oracle customers shouldn't demand quick turnarounds on bugfixes, but this guy kind of comes across as a control-freak who wanted to make a big corporation jump through a hoop and when they didn't, he went crybabying to securityfocus.

    Seth

    --
    $5 / month hosted VPS on linux = awesome!