Unbreakable Software Broken By Helpful Security Researcher?

from the define-unbreakable dept

Oracle is now facing a similar situation to the one that Microsoft faced a few weeks ago. After a vulnerability was exposed with Microsoft was slow to fix, an independent security researcher created his own patch to fix it — which Microsoft reacted negatively to (though, they did speed up the release of their own patch). Oracle is in a similar situation. While they released a security patch recently, it didn’t fix a security vulnerability that one researcher felt was particularly critical — and not that difficult to fix. So he fixed it himself and released the patch. Now, Oracle is quite upset about the independent patch, claiming that just by releasing it, the researcher has alerted those with malicious intent to the flaw, while also claiming that fixing the security hole isn’t as easy as the researcher made it out to be. However, here’s where Oracle’s spokesperson made a poor choice of words. For a while, Oracle had been marketing some of their products as “unbreakable” — and even though they meant it in a very specific way, it still leaves them open to some amount of ridicule when they’re quoted as saying: “We know it will break a number of Oracle products…” in discussing the security patch. If an independent security researcher trying to fix a vulnerability “breaks” your software, it’s tough to see how it’s “unbreakable.”

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Unbreakable Software Broken By Helpful Security Researcher?”

Subscribe: RSS Leave a comment
Andrew Benton says:


How can you get angry when someone wants to improve your stuff because you can’t? Oh wait a second, maybe you shouldnt rush to production every peice of software, and in the case of M$, intentionally put exploits in *hoping* no one finds them before you unveil your world-changing service that will use that particular exploit. Ugh.

Posterlogo says:


Umm… right… since no software is perfect, none should ever be released? Sure, Oracle’s reaction isn’t ideal (i.e. they should have embraced the independent effort and made their own patch). But this security researcher should have contacted Oracle first and given them the opportunity to do the right thing. If you seriously believe there aren’t hackers out there waiting for security researchers to publicize security flaws so they can exploit them, you’re pretty naive. There is something to be said for security by obscurity, as long as there is a good faith effort to patch the flaw as soon as possible. As for the WMF flaw, it sounds like a mistake, not some grand conspiracy.

Sparktikus says:

Re: Re: SSDD

I don’t agree, security by obscurity never works. It is like walking around in an area you don’t know, while blind folded. Don’t worry about that truck that’s coming toward you at 80 mph, because you don’t know about it and can’t see it. <br><br>The threat is always there. If someone finds a flaw and doesn’t tell anyone about it…chances are someone else has already found it and is using it to their advantage. <br><br>I think he did a great job. The big companies think they can take their time with patches after people have paid for the programs but they can simply push shoddy programming out the door just to make a quick sale. I agree that software is always going to be released with it weaknesses but some companies just push it to the hilt.

Ivan Sick says:

Re: Re: Re: SSDD

“Intentionally put exploits in? If you are refering to the WMF vulnerability…
No, I think he is referring to any of dozens of “features” that Microsoft has included in Windows and Internet Explorer that are actually incredible security risks. Just look at your Windows Updates. There is something wrong when there can exist security flaws that could allow a malicious party to control a computer remotely–in Media Player.

Spyke Teach says:

Re: Re: SSDD

(i.e. they should have embraced the independent effort and made their own patch).

Embracing the patch that’s been released is not a good idea. The legal exposure is immense. I would not endorse someone else’s software simply because I don’t want to get sued. Do I personally think the patch was better – probably. Would I install it on my own Oracle implementation – sure, after testing on my own baseline lab. Would my bosses sue Oracle if they recommended a 3rd party patch and it crashed us or introduced a security hole – you betcha!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...