InfoWorld is reporting that Oracle is warning its customers not to implement a vulnerability patch that was developed by security researcher David Litchfield (fellow blogger George Ou had the coverage last week). Litchfield was motivated to create his own patch because Oracle, despite four attempts, has apparently failed to do so successfully (according to the InfoWorld story). Perhaps more interesting is how a quote from an Oracle executive further draws the "breakability" (the company claims its software never breaks) of Oracle's software into question:
Oracle was notified of the workaround before it was released, but has found it "inadequate," said Duncan Harris, Oracle's senior director of security assurance. It will break a large number of E-Business Suite applications, he said."We know it will break a number of Oracle products higher in the stack than the Oracle Application Server that the vulnerability exists in," Harris said.
eWeek has the story too (see Security disclosure debate erupts at Black Hat). So, unbreakable or breakable? You decide.