Oracle: Third party security patch breaks our stack

InfoWorld is reporting that Oracle is warning its customers not to implement a vulnerability patch that was developed by security researcher David Litchfield (fellow blogger George Ou had the coverage last week). Litchfield was motivated to create his own patch because Oracle, despite four attempts, has apparently failed to do so successfully (according to the InfoWorld story).

InfoWorld is reporting that Oracle is warning its customers not to implement a vulnerability patch that was developed by security researcher David Litchfield (fellow blogger George Ou had the coverage last week). Litchfield was motivated to create his own patch because Oracle, despite four attempts, has apparently failed to do so successfully (according to the InfoWorld story). Perhaps more interesting is how a quote from an Oracle executive further draws the "breakability" (the company claims its software never breaks) of Oracle's software into question:

Oracle was notified of the workaround before it was released, but has found it "inadequate," said Duncan Harris, Oracle's senior director of security assurance. It will break a large number of E-Business Suite applications, he said."We know it will break a number of Oracle products higher in the stack than the Oracle Application Server that the vulnerability exists in," Harris said.

eWeek has the story too (see Security disclosure debate erupts at Black Hat).  So, unbreakable or breakable?  You decide.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All