At the end of February, Oracle confirmed a sandbox bypass vulnerability identified by experts from Security Explorations. However, the security firm was displeased with the fact that Oracle had only catalogued one of the issues used for the bypass as a security hole.
The sandbox bypass leverages two bugs dubbed by Security Explorations “Issue 54” and “Issue 55.” Oracle has admitted that “Issue 55” is a security vulnerability, but the company says “Issue 54” demonstrates “allowed behavior.”
After Oracle’s assessment, the security firm said it would publish the complete technical details of “Issue 54” to allow the security community to determine who was right.
Three weeks have passed and since Oracle hasn’t changed its mind, Security Explorations has published the details of “Issue54.”
“As of Mar 18, 2013 we have no information that Oracle treats Issue 54 as a security vulnerability. We believe that 3 weeks (from Feb 25 to Mar 18) constitutes enough time for a major software vendor to deliver a final confirmation or denial of a reported issue,” Adam Gowdiak, CEO of Security Explorations, told Softpedia in an email.
“This especially concerns a vendor that has been a subject of a considerable criticism regarding competent and prompt handling of security vulnerabilities in its software,” Gowdiak added.
“Security Explorations is publishing the following material in a hope a wider public could conduct an independent evaluation of Issue 54 and deliver an unbiased judgment of both companies’ claims.”
Anyone interested in analyzing Issue 54 to determine which of the companies is right, can check out the technical details here. The report contains some interesting arguments.
Gowdiak says that if Oracle is right, the publication of these technical details should not cause any problems.
“Our policy is to release technical details of issues denied by a vendor as security bugs. We basically assume that publication of a non-security issue does not pose a risk to anyone and is not of any concern for the vendor,” he explained.