Oracle Plugs 122 Security Holes 25
Aditi.Tuteja writes "Oracle has released a 'critical patch update' that plugs 122 security vulnerabilities across the company's databases, enterprise applications, developer tools and middleware. Oracle has also started providing additional information indicating whether a flaw can be exploited by remote attackers without any authentication credentials.
But, Oracle has failed to deliver its patches on all platforms. Patches for Oracle databases 9.2.0.6 and 10.1.0.5 will not be available until the end of this month. Users running Oracle 10.2.0.1 on Linux on Power servers will also have to wait until the end of October, as will users running Oracle 10.2.0.2 on Windows."
Good (Score:2, Insightful)
Re:Good (Score:2, Insightful)
Re:Unbreakable...Break it. (Score:5, Insightful)
Business only understands one thing: money. So this needs to cost them money.
So to me the solution is simple: Researchers privately disclose bugs to the vendor along with a Public Release Date....maybe 6-weeks in the future. Non-Negotiable.
Fixed or not*, the bug is fully and publicly disclosed on that date. Since OSS (and MS DRM! heheh) has shown that bugs can be fixed in days or at the most a few weeks this should give a motivated company plenty of time to fix it. And only money motivates a business.
When vendors start getting threatning calls/letters from their customers (either to sue or jump ship) due to unpatched exploits that are public knowledge then they will be forced to fix them.
Oh sure, the vendors will cry foul (and sadly some will probably try and sue researchers instead of fixing their problems) but the fact is that if one person can find an exploit then a second person can find this exploit. And the other guy might not have noble intentions. Every day that a findable exploit exists is a day that the system is at risk...
*This is actually important, b/c if you read the rant you'll note that the 'fixes' are half-assed. I'm pretty confident that if the exploit was going to be made public that the fixes would be more robust...or the company will go bust.