From: John Hurley on 8 Feb 2010 14:18 On Feb 8, 10:52 am, "Vladimir M. Zakharychev" <vladimir.zakharyc...(a)gmail.com> wrote: snip ... > [rant] > Well, the weekend's over, been 4 (if I didn't miscalculate) days since > disclosure and guess what - no alert from Oracle still. Neither public > athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor > paying-customer-only at MOS, nor on their security blogs... Even a > simple acknowledgment that they are aware and are working on a fix > would do at this point... Do they think that if they just ignore the > threat it will eventually go away? Or are they too busy rebranding Sun > sites and cleaning up after CVE-2010-0073? (this one's a nice BEA > heritage, full-fledged user-friendly backdoor, even no need to compose > and inject shellcode to instantiate one of your own...) > [/rant] It does seem quite curious doesn't it. No worries though because Mary Ann has our back right? How long until the auditors start asking questions ( as they are supposed to do )?
From: Vladimir M. Zakharychev on 8 Feb 2010 16:00 On Feb 8, 10:18 pm, John Hurley <johnbhur...(a)sbcglobal.net> wrote: > On Feb 8, 10:52 am, "Vladimir M. Zakharychev" > > <vladimir.zakharyc...(a)gmail.com> wrote: > > snip ... > > > [rant] > > Well, the weekend's over, been 4 (if I didn't miscalculate) days since > > disclosure and guess what - no alert from Oracle still. Neither public > > athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor > > paying-customer-only at MOS, nor on their security blogs... Even a > > simple acknowledgment that they are aware and are working on a fix > > would do at this point... Do they think that if they just ignore the > > threat it will eventually go away? Or are they too busy rebranding Sun > > sites and cleaning up after CVE-2010-0073? (this one's a nice BEA > > heritage, full-fledged user-friendly backdoor, even no need to compose > > and inject shellcode to instantiate one of your own...) > > [/rant] > > It does seem quite curious doesn't it. > > No worries though because Mary Ann has our back right? > > How long until the auditors start asking questions ( as they are > supposed to do )? Compare that to recent Microsoft attitude towards serious security issues, especially 0-day. They typically publish bulletins within hours just to let their customers know they take the matter seriously. Every such issue damages their reputation and affects their bottom line. Sure, impact of any Microsoft security bug is very wide - and they accepted the responsibility. But impact of an enterprise database bug of such magnitude is probably even more devastating because it hits right in the heart of an enterprise. How they can remain quiet and pretend nothing happens is beyond me. But thanks to David, now I'm forewarned and thus forearmed. M-A.D. seems to be more concerned with the process than with deliverables I.M.O... She will probably start ranting about how irresponsible it was of David to disclose the issue without giving them time to cook a fix, and how this doesn't help security community and how damaging such disclosures are to Oracle customers, etc. I have a feeling she truly believes in security by obscurity. She sure has her back covered, but I am not so sure about mine... David's presentation starts with some figures and rates - well, that wasn't new to me, but it's sad to see nothing changed over the last few years. The attitude didn't change. No SCS, laws or education can fix that. Regards, Bob
From: John Hurley on 9 Feb 2010 14:25 On Feb 8, 10:52 am, "Vladimir M. Zakharychev" <vladimir.zakharyc...(a)gmail.com> wrote: snip > Well, the weekend's over, been 4 (if I didn't miscalculate) days since > disclosure and guess what - no alert from Oracle still. Neither public > athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor > paying-customer-only at MOS, nor on their security blogs... Even a > simple acknowledgment that they are aware and are working on a fix > would do at this point... Do they think that if they just ignore the > threat it will eventually go away? Or are they too busy rebranding Sun > sites and cleaning up after CVE-2010-0073? (this one's a nice BEA > heritage, full-fledged user-friendly backdoor, even no need to compose > and inject shellcode to instantiate one of your own...) > [/rant] Well the web logic alert is out now ... so maybe Oracle corp is about ready to get this one out next ... maybe.
First
|
Prev
|
Pages: 1 2 Prev: Physical Standby Database and v$Recover_file Query Next: Why I can not using alias in 11G |