RSS
Unbreakable Software Broken By Helpful Security Researcher?
from the define-unbreakable dept
Oracle is now facing a similar situation to the one that Microsoft faced a few weeks ago. After a vulnerability was exposed with Microsoft was slow to fix, an independent security researcher created his own patch to fix it -- which Microsoft reacted negatively to (though, they did speed up the release of their own patch). Oracle is in a similar situation. While they released a security patch recently, it didn't fix a security vulnerability that one researcher felt was particularly critical -- and not that difficult to fix. So he fixed it himself and released the patch. Now, Oracle is quite upset about the independent patch, claiming that just by releasing it, the researcher has alerted those with malicious intent to the flaw, while also claiming that fixing the security hole isn't as easy as the researcher made it out to be. However, here's where Oracle's spokesperson made a poor choice of words. For a while, Oracle had been marketing some of their products as "unbreakable" -- and even though they meant it in a very specific way, it still leaves them open to some amount of ridicule when they're quoted as saying: "We know it will break a number of Oracle products..." in discussing the security patch. If an independent security researcher trying to fix a vulnerability "breaks" your software, it's tough to see how it's "unbreakable."
7 Comments | Leave a Comment..
- If People Like You And Your Work They'll Pay; If They Like Your Work, But Don't Like You, They'll Infringe
- The Pirate Bay's Peter Sunde Questions Why We Let Dying Industries Dictate Terms Of Democracy
- EU Official Who Resigned Over ACTA Details Why ACTA Is Dangerous; While His Replacement Seems Unlikely To Care
- Debunking The EU Commission's 'Myths About ACTA'
- European Parliament President Criticizes ACTA
Reader Comments (rss)
(Flattened / Threaded)
SSDD
[ reply to this | link to this | view in thread ]
Re: SSDD
[ reply to this | link to this | view in thread ]
Re: SSDD
[ reply to this | link to this | view in thread ]
Re: SSDD
Vulnerability really that bad?
If it was (and the description seems to indicate that it was) - a patch from any source is better then none.
It is then up to the customer to be responsible for testing and stability of his own custom patched software.
[ reply to this | link to this | view in thread ]
Re: SSDD
[ reply to this | link to this | view in thread ]
Re: SSDD
------------
No, I think he is referring to any of dozens of "features" that Microsoft has included in Windows and Internet Explorer that are actually incredible security risks. Just look at your Windows Updates. There is something wrong when there can exist security flaws that could allow a malicious party to control a computer remotely--in Media Player.
[ reply to this | link to this | view in thread ]
Re: SSDD
Embracing the patch that's been released is not a good idea. The legal exposure is immense. I would not endorse someone else's software simply because I don't want to get sued. Do I personally think the patch was better - probably. Would I install it on my own Oracle implementation - sure, after testing on my own baseline lab. Would my bosses sue Oracle if they recommended a 3rd party patch and it crashed us or introduced a security hole - you betcha!
[ reply to this | link to this | view in thread ]
Add Your Comment