The database company should have fixed the issue in the latest critical patch update (CPU), but failed to do so, he said, adding that he believes the flaw is more significant than a privilege escalation issue fixed in less than three months by Oracle in the latest update.
After hearing about the conference presentation, Oracle slammed the researcher for releasing information about the vulnerability, saying that doing so puts its customers in danger. “We are always disappointed when researchers feel the need to publish details of vulnerabilities before a fix is available,” Duncan Harris, senior director of security assurance for Oracle, said in an interview with SecurityFocus.
At the Black Hat Security Briefings in Las Vegas last summer, networking giant Cisco and network protection firm Internet Security Systems filed suit against a security researcher for disclosing methods to run code on Cisco’s networking hardware.
On Wednesday, he posted a workaround for the vulnerability on SecurityFocus’ BugTraq mailing list. However, Oracle said that it studied the workaround proposed by Litchfield and found it inadequate. Other security professionals have also taken Oracle to task for its troubles in effectively handling security researcher and vulnerability disclosure.
http://www.securityfocus.com/news/11371?ref=rss