Pete Finnigan's Oracle Security Weblog

An interesting article has appeared on TheAge about the recent advisories released about 6 unfixed Oracle bugs. This article is titled "Researcher bugs Oracle over unfixed flaws" and was written by Sam Varghese. This article needs registration on TheAge's website to be able to read it.

The interesting thing in this news item is the fact that an Oracle spokeswoman was named who gave some comments to the author. She first said (paraphrased) that when security vulnerabilities are found and reported that Oracle responds quickly to ensure that customers data is protected. This does not obviously sit well with the fact that these bugs were reported about 2 years ago.

The spokeswoman, Tracy Postill then said that Oracle take security seriously and that their first priority is to reduce customer risk and that Oracle's policy is t fix security bugs in a priority order, the highest risk bugs first. She then advised anyone who finds a bug to inform Oracle and that they are disappointed that any disclosures have been occurred.

This response from Oracle is strange for a couple of reasons. First they say they fix bugs quickly to protect customers but why did they not act for two years with these bugs. Secondly if they fix bugs in severity order then they must have a list of higher risk bugs that need to be fixed first if these bugs have been held up. Remember one of these can be exploited remotely. Also why did Oracle release fixes for bugs that are clearly a lower risk in CPU July 2005? I would say the bugs "Jdeveloper stores passwords in plaintext in different files" and Oracle Formsbuilder stores plaintext password in a temp file in c:\temp are lower risk than those talked about by Alex in his advisories.