14 DAY TRIAL // Taking into consideration the fact that, lately, the level of online attacks has increased, it's only normal for every company to try and address as fast as possible any flaw spotted in one of its products. But what's to be done when a company refuses to do so, despite being warned of the danger represented by its security breaches?
Well, it looks like a possible answer to this question has been given by a security expert from Red Database Security, who has blasted Oracle's patching policy and released details about six security vulnerabilities, as a protest against the company's lack of interest for the subject, as reported by Tom Sanders for VNUNet.com.
According to the Red Database Web site, the flaws were first reported to Oracle nearly two years ago, but, as Alexander Kornbrustin, who has posted the security reports, says, "It seems that Oracle is not interested in fixing and providing patches for this issue. If you think you need a patch to protect your Oracle Application Server you should contact Oracle."
The flaws affect Oracle Forms and Oracle Reports that ship as part of Oracle 9i and 10g Application Servers and Developer Suites, and have been ranked by the security company Secunia as moderately critical. However, at least one of the flaws provides a way for hackers to take control of a system running the Oracle application.
Red Database claims to have sent Oracle a reminder about the flaws on April 15, threatening to publish the details if the flaws were not addressed as soon as possible.
And seeing that the company's July patch update doesn't contain anything related to this problem, Kornbrust released details about the security holes out of frustration over Oracle's refusal to cooperate or at least to provide details about workarounds that mitigate the risk.
Unveiling the security holes challenges the database vendor's claim to making software that is 'unbreakable,' but as a nasty flipside the exposure could attract hackers to exploit the flaws.