Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Oracle, where are the patches???

from [David Litchfield] Network Security [Permanent Link]
Subject: [Full-disclosure] Oracle, where are the patches???
Date: Tue, 2 May 2006 16:10:27 +0100 
A regular patch release cycle is a good thing. It allows system
administrators to plan ahead and minimize server downtime. If I, as a system
administrator, know that on the 18th of April 2006 a critical patch is going
to be released I'll plan to stay late at work that night and start the
assessment of the patch before I install it. All going well, I can install
the patch and reboot the server all with a minimum amount of downtime. This
should happen once a month or once a quarter - whatever interval my vendor
has chosen. That's what good regular patches allow me to do. The benefits
are absolutely clear.

There are two major problems that can cause these benefits to evaporate into
thin air, however. These are

1) Late Patches - If patches aren't delivered on the day they were supposed
to be, then all my planning ahead has gone to waste and a new plan needs to
be scheduled.
2) Re-issued Patches - If a vendor has to reissue a patch then I have to
reinstall it - which costs me more money and more server downtime. The more
times the patch is re-issued the more it eats into my budget.

Since starting its regular quarterly patch release cycle Oracle has been
guilty of both.

Most recently, Oracle informed us that on the 18th of April 2006 that
Critical Patch Update would be released. This date had been planned for over
a year so why, on that date, were patches not ready for versions 10.2.0.2,
10.1.0.4, 10.1.0.3, 9.2.0.5, 8.1.7.4 and only partial patches for 10.1.0.5?
Further, patches were only available for versions 9.2.0.7, 9.2.0.6 and
10.2.0.1 which means patches are available for only 33% of their supported
versions - what about the poor people running the other 66%?

These 66% were told that their patches would be available on the 1st of May
2006. In all fairness, the 1st of May was an "Estimated Time of Arrival" -
but boy - was that estimate way off! The ETA has now been revised to the
15th of May - a whole month after the supposed patch release day. 

What about Oracle's track record on patch re-issuance? Let's look - the
January 2006 critical patch update was re-issued seven times, the October
2005 CPU three times and the July 2005 CPU was re-issued nine times. The
story is the same for earlier CPUs.

Mary, Mary, quite contrary to what you'd have us believe about Oracle's
security track record, it's not looking too good from my view.

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
+44 (0) 208 401 0070

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Oracle, where are the patches???, David Litchfield <=
Next by Date:  Oracle, where are the patches???, David Litchfield
Next by Thread:  Oracle, where are the patches???, David Litchfield
Indexes:  [Date] [Thread] [Top] [All Lists]