From: John Hurley on
On Feb 8, 10:52 am, "Vladimir M. Zakharychev"
<vladimir.zakharyc...(a)gmail.com> wrote:

snip ...

> [rant]
> Well, the weekend's over, been 4 (if I didn't miscalculate) days since
> disclosure and guess what - no alert from Oracle still. Neither public
> athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor
> paying-customer-only at MOS, nor on their security blogs... Even a
> simple acknowledgment that they are aware and are working on a fix
> would do at this point... Do they think that if they just ignore the
> threat it will eventually go away? Or are they too busy rebranding Sun
> sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
> heritage, full-fledged user-friendly backdoor, even no need to compose
> and inject shellcode to instantiate one of your own...)
> [/rant]

It does seem quite curious doesn't it.

No worries though because Mary Ann has our back right?

How long until the auditors start asking questions ( as they are
supposed to do )?

From: Vladimir M. Zakharychev on
On Feb 8, 10:18 pm, John Hurley <johnbhur...(a)sbcglobal.net> wrote:
> On Feb 8, 10:52 am, "Vladimir M. Zakharychev"
>
> <vladimir.zakharyc...(a)gmail.com> wrote:
>
> snip ...
>
> > [rant]
> > Well, the weekend's over, been 4 (if I didn't miscalculate) days since
> > disclosure and guess what - no alert from Oracle still. Neither public
> > athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor
> > paying-customer-only at MOS, nor on their security blogs... Even a
> > simple acknowledgment that they are aware and are working on a fix
> > would do at this point... Do they think that if they just ignore the
> > threat it will eventually go away? Or are they too busy rebranding Sun
> > sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
> > heritage, full-fledged user-friendly backdoor, even no need to compose
> > and inject shellcode to instantiate one of your own...)
> > [/rant]
>
> It does seem quite curious doesn't it.
>
> No worries though because Mary Ann has our back right?
>
> How long until the auditors start asking questions ( as they are
> supposed to do )?

Compare that to recent Microsoft attitude towards serious security
issues, especially 0-day. They typically publish bulletins within
hours just to let their customers know they take the matter seriously.
Every such issue damages their reputation and affects their bottom
line. Sure, impact of any Microsoft security bug is very wide - and
they accepted the responsibility. But impact of an enterprise database
bug of such magnitude is probably even more devastating because it
hits right in the heart of an enterprise. How they can remain quiet
and pretend nothing happens is beyond me. But thanks to David, now I'm
forewarned and thus forearmed.

M-A.D. seems to be more concerned with the process than with
deliverables I.M.O... She will probably start ranting about how
irresponsible it was of David to disclose the issue without giving
them time to cook a fix, and how this doesn't help security community
and how damaging such disclosures are to Oracle customers, etc. I have
a feeling she truly believes in security by obscurity.

She sure has her back covered, but I am not so sure about mine...
David's presentation starts with some figures and rates - well, that
wasn't new to me, but it's sad to see nothing changed over the last
few years. The attitude didn't change. No SCS, laws or education can
fix that.

Regards,
Bob
From: John Hurley on
On Feb 8, 10:52 am, "Vladimir M. Zakharychev"
<vladimir.zakharyc...(a)gmail.com> wrote:

snip

> Well, the weekend's over, been 4 (if I didn't miscalculate) days since
> disclosure and guess what - no alert from Oracle still. Neither public
> athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor
> paying-customer-only at MOS, nor on their security blogs... Even a
> simple acknowledgment that they are aware and are working on a fix
> would do at this point... Do they think that if they just ignore the
> threat it will eventually go away? Or are they too busy rebranding Sun
> sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
> heritage, full-fledged user-friendly backdoor, even no need to compose
> and inject shellcode to instantiate one of your own...)
> [/rant]

Well the web logic alert is out now ... so maybe Oracle corp is about
ready to get this one out next ... maybe.