Roy Schestowitz wrote:
> Oracle Responds To Information Security Critics
> ,----[ Quote ]
> | "We acknowledge all of the vulnerabilities at the time of the issuance
> | of the appropriate fix and we credit security researchers for any
> | vulnerability they discovered in the Critical Patch Update
> | documentation," he said. "However, we do not credit security
> | researchers who disclose the existence of vulnerabilities before
> | a fix is available. We consider such practices, including disclosing
> | zero-day exploits, to be irresponsible as they can result in
> | needlessly exposing customers to risk of attack."
I have to agree with Oracle this time, there are proper procedures for
reporting security vulnerabilities whether that is in MS based software,
UNIX or Linux. Too many so called security software vendors or experts are
seeing it as a hit for themselves if they can be first to get a
vulnerability out to the press and internet, irrespective of the risks to
the users of the software, or indeed irrespective of how unlikely the
scenerio for the vulnerability is.
Some of them come across as 'Stand on one leg, put left index finger in
right ear, sing 'Some Enchanted Evening' from South Pacific and you may
have a vulnerability'. But once that information is out, the hacker crew
will try it and will very likely find 'Bali High' has a simmilar effect.
If Oracle or anyone else is slow to patch then there is value in bringing
that out to the press, but not details of the vulnerability itself.
PS: Please do not put your right finger in your left ear and sing 'Hunny
Bun' as it wipes the hard drive.