Slashdot Mirror
Security Researcher Says Oracle Slow to Fix Flaw
Billosaur writes "A report by Robert Lemos of SecurityFocus in The Register states that Oracle is being criticized by David Litchfield of Next-Generation Security Software for failing to rapidly patch a known flaw in its database software. Litchfield had made Oracle aware of the flaw last October and is now taking them to task for their slow response to the exploit. Oracle, in turn, has attacked Litchfield: 'We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available... What David Litchfield has done is put our customers at risk.'"
Oracle borrowing from the Microsoft Security-Fixing Playbook?
"we'll get around to it when we get around to it and not a moment sooner"
Oracle borrowing Microsoft's tactics? What next, alerting Department of Homeland Security?Litchfield is al qaeda, you betcha!
Honestly we can't blame this tactic on Microsoft, though they have been highly visible in this regard, due to their high volume of security flaws. It's almost as bad as a bunch of automaker executives running away from a flaming car and blaming it on Ralph Nader.
that flaming car, ralph's fault, he's al-qaeda, too.
Small wonder people have no problem at all in buying imported products and services considering the culture of ass-covering in the United States. Remember when american made goods were the best in the world? Seems a distant memory now.
prepare a statement to the media which blames others for the problem, distances us from it and doesn't harm our stock value, oh and discontinue our practice of sending out new versions/models for review, tell everyone they just have to trust us that everything is fine and not very many people died horrible flaming death during testing of the software and/or new car model
A feeling of having made the same mistake before: Deja Foobar
What if they CANT fix the problem immediately.
I am a programmer and when I find bugs in my code "pre-release" I find it benefitial. However, some of the bugs I have to spend a substantial amount of time debugging to finally find a fix.
With the code as large as Oracle's code is.. it could take an extremely long time.
This is unfortunate.
Windows? I haven't used that since 1999. Fix the Slashdot Problems
Litchfield is putting Oracle's customers at risk? I don't think so. Oracle put their customers at risk, Litchfield merely told those customers they were at risk and in what way. He gave Oracle 3 months to either fix the problem or inform their customers, Oracle did neither, I'd say the problem's all of Oracle's making. If they'd placed their customer's security over their own PR in a reasonable timeframe, Litchfield wouldn't have had to embarrass them this way.
Another example of why "reasonable disclosure" doesn't work well.
We are always disappointed when software companies force us to publish details of vulnerabilities before making a fix available.
As bad as it is to publish unpatched vulnerabilities, it's worse if a company chooses to ignore security altogether. Ignoring security and suppressing vulnerability reports demands that vulnerabilities be published. People generally won't publish vulnerabilities if they see that the company it taking them seriously.
I mean, gee, it's not like they have to test it on a huge number of platforms or anything right? Much better to rapidly fix the bug and then break a bunch of running code, bringing large businesses down to their knees.
Yes, the bug puts their customers at risk, but detailing the exploit for everyone to see REALLY DOES HELP THE BAD GUYS. Otherwise they have to figure it out for themselves, which is quite a bit harder.
The revolution will NOT be televised.