[40670] in bugtraq
Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
daemon@ATHENA.MIT.EDU (Kurt Seifried)
Sat Oct 8 13:59:41 2005
Message-ID: <003601c5cb91$7fc48850$1a00110a@64DOG>
Reply-To: "Kurt Seifried" <bt@seifried.org>
From: "Kurt Seifried" <bt@seifried.org>
To: "David Litchfield" <davidl@ngssoftware.com>,
"Gadi Evron" <ge@linuxbox.org>
Cc: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>
Date: Fri, 7 Oct 2005 16:50:22 -0600
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=response
Content-Transfer-Encoding: 7bit
http://www.red-database-security.com/advisory/published_alerts.html
19-jul-2005 - Advisory: Various Cross-Site-Scripting Vulnerabilities in
Oracle Report - [Various CSS in Oracle Reports] (Not fixed after 700+ days)
19-jul-2005 - Advisory: Read parts of any XML-file on the application server
via Oracle Report - [Read parts of any XML file via Oracle Reports](Not
fixed after 700+days)
19-jul-2005 - Advisory: Read parts of any file on the application server via
Oracle Report - [Read parts of any file via Oracle Reports] (Not fixed after
700+days)
19-jul-2005 - Advisory: Overwrite any file on the application server via
Oracle Report - [Overwrite files via Oracle Reports] (Not fixed after 700+
days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Report from
any directory- [Run any OS command via Oracle Reports] (Not fixed after 700+
days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Forms from
any directory- [Run any OS command via Oracle Forms] (Not fixed after 700+
days)
Plus the last few crops of items that Oracle addressed containing items not
fixed for almost 2 years, plus the fact that their security patches often
fail to apply properly, plus the fact that their security patches now appear
to sometimes not address the problem properly if at all, plus the fact that
Oracle touts security, ran a nice big unbreakable campaign, etc, etc.
There's a ton of anecdotal evidence. There's a ton of security advisories
with notification to release times measured in years (this actually seems to
be quite normal). What more do you need? I look at open source vendors and
projects, they have become amazingly responsive (major Linux kernel issues
addressed in <1 month as a rule, often in days or a week), and even the
closed sourced vendors that formerly were problematic have gotten better in
general (Microsoft is a good example of improvement, pity they have to
maintain scuh complete backwards compatibility though or I suspect we'd see
much more improvement).
In the last 7 or so years I haven't seen much in the way of improvement from
Oracle, security-wise.
-Kurt Seifried
http://seifried.org/freescan2/
