Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Opinion: Complete failure of Oracle security response and utter negl

from [Kurt Seifried] Network Security [Permanent Link]
Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
Date: Fri, 7 Oct 2005 16:50:22 -0600 
http://www.red-database-security.com/advisory/published_alerts.html

19-jul-2005 - Advisory: Various Cross-Site-Scripting Vulnerabilities in Oracle Report - [Various CSS in Oracle Reports] (Not fixed after 700+ days)
19-jul-2005 - Advisory: Read parts of any XML-file on the application server via Oracle Report - [Read parts of any XML file via Oracle Reports](Not fixed after 700+days)
19-jul-2005 - Advisory: Read parts of any file on the application server via Oracle Report - [Read parts of any file via Oracle Reports] (Not fixed after 700+days)
19-jul-2005 - Advisory: Overwrite any file on the application server via Oracle Report - [Overwrite files via Oracle Reports] (Not fixed after 700+ days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Report from any directory- [Run any OS command via Oracle Reports] (Not fixed after 700+ days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Forms from any directory- [Run any OS command via Oracle Forms] (Not fixed after 700+ days)

Plus the last few crops of items that Oracle addressed containing items not fixed for almost 2 years, plus the fact that their security patches often fail to apply properly, plus the fact that their security patches now appear to sometimes not address the problem properly if at all, plus the fact that Oracle touts security, ran a nice big unbreakable campaign, etc, etc.

There's a ton of anecdotal evidence. There's a ton of security advisories with notification to release times measured in years (this actually seems to be quite normal). What more do you need? I look at open source vendors and projects, they have become amazingly responsive (major Linux kernel issues addressed in <1 month as a rule, often in days or a week), and even the closed sourced vendors that formerly were problematic have gotten better in general (Microsoft is a good example of improvement, pity they have to maintain scuh complete backwards compatibility though or I suspect we'd see much more improvement).

In the last 7 or so years I haven't seen much in the way of improvement from Oracle, security-wise.

-Kurt Seifried
http://seifried.org/freescan2/



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers, Ivan .
Next by Date:  Multiple Critical and High Vulnerabilities in Oracle Database Server, NGSSoftware Insight Security Research
Previous by Thread:  Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers, David Litchfield
Next by Thread:  Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers, Ivan .
Indexes:  [Date] [Thread] [Top] [All Lists]