Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "OUG Scotland"] [Next entry: "Link to David Litchfields original post"]

David Litchfield writes an open letter to the security community and Oracle customers

I have just seen a post to the BugTraq mailing list at Security Focus written by David Litchfield and replied to by Cesar Cerrudo. The post is titled "Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers". Scroll down and read Davidís original post first before you read Cesar's comments. This is eye opening for Oracle customers and very interesting reading. David lists issue after issue that was reported years ago in some cases that are still not fixed correctly. He reports bugs not fixed by actually getting rid of the root problem but taping over the hole so to speak. He also talks about bugís fixed and similar holes a few lines down from the fix having exactly the same issue.

David is calling for Oracle customers to contact Oracle and demand a better security service and those customers should demand fixes. Cesars comments mirror those of David with some comparisons to Microsoft a few years ago and he also threatens to release a 0day remote exploit.