Oracle is preparing to release patches for a number of vulnerabilities, but apparently has delayed their release until a new distribution system is ready. Clearly, it’s a good thing that they’re getting the patches ready, but it seems to me that Microsoft has gotten a lot of grief for delaying patches for a variety of reasons…will Oracle be held to the same standard? Will /. pick this issue up and discuss it?
--Oracle to Address 34 Flaws
(3 August 2004)
Oracle plans to release patches to fix 34 vulnerabilities in its database software. The vulnerabilities include buffer overflow and SQL injection flaws; some are easy to exploit while others require a fair amount of technical ability. Next Generation Security (NGS) Software said that while it discovered the vulnerabilities and informed Oracle early this year, Oracle is delaying the release of the fixes until its new patch distribution system is ready for release. The delay has prevented NGS from discussing details of the vulnerabilities with others in the security field.
[via SANS Newsbites]
I’ll be interested to see what the advocates of early disclosure have to say about this.