Unbreakable Software Broken By Helpful Security Researcher?
from the define-unbreakable dept
Oracle is now facing a similar situation to the one that Microsoft faced a few weeks ago. After a vulnerability was exposed with Microsoft was slow to fix, an independent security researcher created his own patch to fix it — which Microsoft reacted negatively to (though, they did speed up the release of their own patch). Oracle is in a similar situation. While they released a security patch recently, it didn’t fix a security vulnerability that one researcher felt was particularly critical — and not that difficult to fix. So he fixed it himself and released the patch. Now, Oracle is quite upset about the independent patch, claiming that just by releasing it, the researcher has alerted those with malicious intent to the flaw, while also claiming that fixing the security hole isn’t as easy as the researcher made it out to be. However, here’s where Oracle’s spokesperson made a poor choice of words. For a while, Oracle had been marketing some of their products as “unbreakable” — and even though they meant it in a very specific way, it still leaves them open to some amount of ridicule when they’re quoted as saying: “We know it will break a number of Oracle products…” in discussing the security patch. If an independent security researcher trying to fix a vulnerability “breaks” your software, it’s tough to see how it’s “unbreakable.”
Comments on “Unbreakable Software Broken By Helpful Security Researcher?”
SSDD
How can you get angry when someone wants to improve your stuff because you can’t? Oh wait a second, maybe you shouldnt rush to production every peice of software, and in the case of M$, intentionally put exploits in *hoping* no one finds them before you unveil your world-changing service that will use that particular exploit. Ugh.
Re: SSDD
Intentionally put exploits in? If you are refering to the WMF vulnerability there is evidence that that wasn’t an intentional backdoor. http://www.sysinternals.com/Blog/
Re: SSDD
Umm… right… since no software is perfect, none should ever be released? Sure, Oracle’s reaction isn’t ideal (i.e. they should have embraced the independent effort and made their own patch). But this security researcher should have contacted Oracle first and given them the opportunity to do the right thing. If you seriously believe there aren’t hackers out there waiting for security researchers to publicize security flaws so they can exploit them, you’re pretty naive. There is something to be said for security by obscurity, as long as there is a good faith effort to patch the flaw as soon as possible. As for the WMF flaw, it sounds like a mistake, not some grand conspiracy.
Re: Re: SSDD
The real question is:
Vulnerability really that bad?
If it was (and the description seems to indicate that it was) – a patch from any source is better then none.
It is then up to the customer to be responsible for testing and stability of his own custom patched software.
Re: Re: SSDD
I don’t agree, security by obscurity never works. It is like walking around in an area you don’t know, while blind folded. Don’t worry about that truck that’s coming toward you at 80 mph, because you don’t know about it and can’t see it. <br><br>The threat is always there. If someone finds a flaw and doesn’t tell anyone about it…chances are someone else has already found it and is using it to their advantage. <br><br>I think he did a great job. The big companies think they can take their time with patches after people have paid for the programs but they can simply push shoddy programming out the door just to make a quick sale. I agree that software is always going to be released with it weaknesses but some companies just push it to the hilt.
Re: Re: Re: SSDD
“Intentionally put exploits in? If you are refering to the WMF vulnerability…
————
No, I think he is referring to any of dozens of “features” that Microsoft has included in Windows and Internet Explorer that are actually incredible security risks. Just look at your Windows Updates. There is something wrong when there can exist security flaws that could allow a malicious party to control a computer remotely–in Media Player.
Re: Re: SSDD
(i.e. they should have embraced the independent effort and made their own patch).
Embracing the patch that’s been released is not a good idea. The legal exposure is immense. I would not endorse someone else’s software simply because I don’t want to get sued. Do I personally think the patch was better – probably. Would I install it on my own Oracle implementation – sure, after testing on my own baseline lab. Would my bosses sue Oracle if they recommended a 3rd party patch and it crashed us or introduced a security hole – you betcha!