Bugtraq mailing list archives
Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
From: "Kurt Seifried" <bt () seifried org>
Date: Fri, 7 Oct 2005 16:50:22 -0600
http://www.red-database-security.com/advisory/published_alerts.html19-jul-2005 - Advisory: Various Cross-Site-Scripting Vulnerabilities in Oracle Report - [Various CSS in Oracle Reports] (Not fixed after 700+ days) 19-jul-2005 - Advisory: Read parts of any XML-file on the application server via Oracle Report - [Read parts of any XML file via Oracle Reports](Not fixed after 700+days) 19-jul-2005 - Advisory: Read parts of any file on the application server via Oracle Report - [Read parts of any file via Oracle Reports] (Not fixed after 700+days) 19-jul-2005 - Advisory: Overwrite any file on the application server via Oracle Report - [Overwrite files via Oracle Reports] (Not fixed after 700+ days) 19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Report from any directory- [Run any OS command via Oracle Reports] (Not fixed after 700+ days) 19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Forms from any directory- [Run any OS command via Oracle Forms] (Not fixed after 700+ days)
Plus the last few crops of items that Oracle addressed containing items not fixed for almost 2 years, plus the fact that their security patches often fail to apply properly, plus the fact that their security patches now appear to sometimes not address the problem properly if at all, plus the fact that Oracle touts security, ran a nice big unbreakable campaign, etc, etc.
There's a ton of anecdotal evidence. There's a ton of security advisories with notification to release times measured in years (this actually seems to be quite normal). What more do you need? I look at open source vendors and projects, they have become amazingly responsive (major Linux kernel issues addressed in <1 month as a rule, often in days or a week), and even the closed sourced vendors that formerly were problematic have gotten better in general (Microsoft is a good example of improvement, pity they have to maintain scuh complete backwards compatibility though or I suspect we'd see much more improvement).
In the last 7 or so years I haven't seen much in the way of improvement from Oracle, security-wise.
-Kurt Seifried http://seifried.org/freescan2/
Current thread:
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers, (continued)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Rainer Duffner (Oct 06)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers David Litchfield (Oct 06)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Rainer Duffner (Oct 06)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of t Silent / Saracoth (Oct 11)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Radoslav Dejanović (Oct 07)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers David Litchfield (Oct 06)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Cesar (Oct 06)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Gadi Evron (Oct 07)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers David Litchfield (Oct 07)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Gadi Evron (Oct 07)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers David Litchfield (Oct 07)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Kurt Seifried (Oct 08)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers David Litchfield (Oct 07)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Tony Jambu (Oct 08)
- Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Rainer Duffner (Oct 06)