Thursday, January 19, 2006

Oracle Jan 2006 Patch & Exploits publication

As many of you very well know, Oracle released its Jan2006 CPU on Jan 17th and almost immediately after, Alex of Red Database Security released details of exploits of 5 of the bugs fixed in the latest patch plus Impreva also released details of another exploit of a bug fixed in the patch.

Okay, it's fine to release the exploits in get credit or whatever knowledgement but come on, we (Oracle customers) are in a bind as now we have to get the patches applied as quickly as possible and hope that we are not exposed while trying to apply the patch to all the databases within our organization. This is damm irresponsible of Alex and Impreva! Impreva can forget about getting any business from my organization now and in future. We are essentially put in a position of being at risk if we don't apply the patch sooner or at the risk of something else breaking by applying the patch without fullly testing to ensure that existing critical applications still works.

Grrrr!

1 comment:

Doug Burns said...

Peter,

I've thought about whether or not to comment for a day or two because I wouldn't want to upset the security crowd or get into an extended debate about the value of security research. However, as a working DBA, I agree with you on this one and appreciate this blog.

I hear a lot about how security researchers provide a community service but I (personally) wonder how much is service and how much is ego. I suspect this is an old, circular argument though ...

Cheers,

Doug