Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Week of Oracle zero-days planned"] [Next entry: "Week of Oracle bugs axed--for now?"]

Carelessness Runs Amuck With Zero Day Vulnerabilities

Carelessness Runs Amuck With Zero Day Vulnerabilities - Mark Joseph Edwards

"It's no secret that some hackers, predominantly wearing either black or grey hats, discover vulnerabilities and then proceed to sit on those vulnerabilities for some variable amount of time. The motives for not informing the affected vendors appear to vary from entirely self-centered reasons to the need for leverage against a given vendor who might claim to be improving security, but just not fast enough for the satisfaction of some people. Sometimes the latter explanation turns out to be more of a ruse than fact. "

Judging by the amount of articles on this planned week of Oracle 0-days by Argeniss in the press and the fact that none of them are positive or in agreement with it, it looks like most of the Oracle speaking world agrees that its not a good plan. I have had a lot of conversations this week with interested parties, users and customers of Oracle and no one thinks its a good idea to release 0-days to make a point.

The real point is that Oracle are getting better at security, we should give them a chance to prove themselves and also there is no value in making a large amount of databases immediately vulnerable to attack.