Oracle: Third party security patch breaks our stack

Summary:InfoWorld is reporting that Oracle is warning its customers not to implement a vulnerability patch that was developed by security researcher David Litchfield (fellow blogger George Ou had the coverage last week). Litchfield was motivated to create his own patch because Oracle, despite four attempts, has apparently failed to do so successfully (according to the InfoWorld story).

InfoWorld is reporting that Oracle is warning its customers not to implement a vulnerability patch that was developed by security researcher David Litchfield (fellow blogger George Ou had the coverage last week). Litchfield was motivated to create his own patch because Oracle, despite four attempts, has apparently failed to do so successfully (according to the InfoWorld story). Perhaps more interesting is how a quote from an Oracle executive further draws the "breakability" (the company claims its software never breaks) of Oracle's software into question:

Oracle was notified of the workaround before it was released, but has found it "inadequate," said Duncan Harris, Oracle's senior director of security assurance. It will break a large number of E-Business Suite applications, he said."We know it will break a number of Oracle products higher in the stack than the Oracle Application Server that the vulnerability exists in," Harris said.

eWeek has the story too (see Security disclosure debate erupts at Black Hat).  So, unbreakable or breakable?  You decide.

Topics: Oracle

About

David Berlind was fomerly the executive editor of ZDNet. David holds a BBA in Computer Information Systems. Prior to becoming a tech journalist in 1991, David was an IT manager.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.