Hi Shawn,
Oracle do not report issues they've found internally in their alerts.
Every
DBn in their alerts marries up to "public" flaws.
Not that I disagree (or know for that matter) but at
blogs.oracle.com/security/ they state that they, "Disclose the existence
of
vulnerabilities once cured, even if they are discovered internally."
Maybe someone should leave a comment correcting them or better yet invite
them to discuss some of the issues brought up on this list.
Ah, the wonders of Oracle Spin Blog. When Oracle issue an alert they credit
a number of external security researchers. Some of these researchers don't
post their own advisories for the flaws that they've reported but others do.
When you marry up the advisories of those that do to the vulnerabilities
listed in the Risk Matrix in the Oracle alert you're left with only a few
"unexplained" entries. So either these were found internally by Oracle or
they were found by the researchers that don't publish advisories. Now, when
Mary Ann Davidson, the Oracle CSO, has gone on record as saying that they
find more than 75% of significant issues internally (bottom of section 3
here -
http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html)
wer'e left in a situation where the numbers just don't stack up. Either they
don't publish internal finds (which leaves Mary's statement intact) or they
do publish internal finds which destroys Mary's statement. There is of
course the possibility that external researchers are reporting issues that
have already been found internally - which would leave both statements
intact. However, when I report a new issue to Oracle they way in which they
respond indicates whether you've found a new issue or a duplicate. It's not
very often you get a duplicate so we're still left with the contradiction.
Either way this contradiction means that someone at Oracle is lying. The
problem with spin is that it leaves you dizzy and you might just end up on
your butt.
Cheers,
David
