I was looking around the net tonight at all the usual suspects looking for any new Oracle security news when I found another news story about the July CPU published today, 14 July, written by Jim Wagner and titled "
Oracle Issues Critical Patch". This article starts with some facts gleaned from the CPU July advisory and then goes on to quote CERT's response to the patch set and advisory. There is then some very interesting discussions on Oracles non-disclosure policy and some comparisons are made with other manufacturers such as The Mozilla Foundation and also Microsoft. Michael Sutton is quoted as saying Oracle do not make it easy for customers to decide what to patch as there is not good enough information released to allow customers to decide whether to patch or not. He goes on further to talk about patch reverse engineering to find out what is fixed and that this method can be used to write exploits by hackers.