[ISN] Oracle fixes bugs with mega patch

InfoSec News isn at c4i.org
Mon Oct 24 09:09:05 EDT 2005


Forwarded from: The Unknown Security Person...

> Oracle has been criticized for dragging its heels on fixing security
> flaws and being unresponsive to researchers who find bugs. Oracle's
> Chief Security Officer, Mary Ann Davidson, in response said security
> researchers can be a problem when it comes to product security.

How exactly? Oh yeah, they point out the flaws in the products.

Don't shoot the messenger here folks. Let's remember who created this
"unbreakable" (anyone remember those commercials?) software with
several hundred bugs patched per year (and who knows how many are
found and not yet patched. Yikes).

Can anyone imagine another database vendor doing such a bad job as
Oracle is? Last I heard DB2, PostgreSQL and MySQL and heck even MS-SQL
all have significantly happier customers and better security
experiences.

P.S. 60 bugs patched per quarter it seems on average, many of which
are months or years old, this means we can expect 60 more patches a
quarter for a LONG time from Oracle folks, unless of course those
pesky security researchers stop reporting flaws in which case we only
have 1-2 more years of 60 bugs fixed per quarter.

Ain't it great?





More information about the ISN mailing list