Unbreakable Software Broken By Helpful Security Researcher?

from the define-unbreakable dept

Oracle is now facing a similar situation to the one that Microsoft faced a few weeks ago. After a vulnerability was exposed with Microsoft was slow to fix, an independent security researcher created his own patch to fix it -- which Microsoft reacted negatively to (though, they did speed up the release of their own patch). Oracle is in a similar situation. While they released a security patch recently, it didn't fix a security vulnerability that one researcher felt was particularly critical -- and not that difficult to fix. So he fixed it himself and released the patch. Now, Oracle is quite upset about the independent patch, claiming that just by releasing it, the researcher has alerted those with malicious intent to the flaw, while also claiming that fixing the security hole isn't as easy as the researcher made it out to be. However, here's where Oracle's spokesperson made a poor choice of words. For a while, Oracle had been marketing some of their products as "unbreakable" -- and even though they meant it in a very specific way, it still leaves them open to some amount of ridicule when they're quoted as saying: "We know it will break a number of Oracle products..." in discussing the security patch. If an independent security researcher trying to fix a vulnerability "breaks" your software, it's tough to see how it's "unbreakable."
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Andrew Benton, 30 Jan 2006 @ 12:19pm

    SSDD

    How can you get angry when someone wants to improve your stuff because you can't? Oh wait a second, maybe you shouldnt rush to production every peice of software, and in the case of M$, intentionally put exploits in *hoping* no one finds them before you unveil your world-changing service that will use that particular exploit. Ugh.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 30 Jan 2006 @ 12:31pm

    Re: SSDD

    Intentionally put exploits in? If you are refering to the WMF vulnerability there is evidence that that wasn't an intentional backdoor. http://www.sysinternals.com/Blog/

    link to this | view in thread ]

  3. identicon
    Posterlogo, 30 Jan 2006 @ 1:03pm

    Re: SSDD

    Umm... right... since no software is perfect, none should ever be released? Sure, Oracle's reaction isn't ideal (i.e. they should have embraced the independent effort and made their own patch). But this security researcher should have contacted Oracle first and given them the opportunity to do the right thing. If you seriously believe there aren't hackers out there waiting for security researchers to publicize security flaws so they can exploit them, you're pretty naive. There is something to be said for security by obscurity, as long as there is a good faith effort to patch the flaw as soon as possible. As for the WMF flaw, it sounds like a mistake, not some grand conspiracy.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 30 Jan 2006 @ 1:24pm

    Re: SSDD

    The real question is:
    Vulnerability really that bad?

    If it was (and the description seems to indicate that it was) - a patch from any source is better then none.

    It is then up to the customer to be responsible for testing and stability of his own custom patched software.

    link to this | view in thread ]

  5. identicon
    Sparktikus, 30 Jan 2006 @ 8:21pm

    Re: SSDD

    I don't agree, security by obscurity never works. It is like walking around in an area you don't know, while blind folded. Don't worry about that truck that's coming toward you at 80 mph, because you don't know about it and can't see it. <br><br>The threat is always there. If someone finds a flaw and doesn't tell anyone about it...chances are someone else has already found it and is using it to their advantage. <br><br>I think he did a great job. The big companies think they can take their time with patches after people have paid for the programs but they can simply push shoddy programming out the door just to make a quick sale. I agree that software is always going to be released with it weaknesses but some companies just push it to the hilt.

    link to this | view in thread ]

  6. identicon
    Ivan Sick, 30 Jan 2006 @ 10:47pm

    Re: SSDD

    "Intentionally put exploits in? If you are refering to the WMF vulnerability...
    ------------
    No, I think he is referring to any of dozens of "features" that Microsoft has included in Windows and Internet Explorer that are actually incredible security risks. Just look at your Windows Updates. There is something wrong when there can exist security flaws that could allow a malicious party to control a computer remotely--in Media Player.

    link to this | view in thread ]

  7. identicon
    Spyke Teach, 31 Jan 2006 @ 7:45am

    Re: SSDD

    (i.e. they should have embraced the independent effort and made their own patch).

    Embracing the patch that's been released is not a good idea. The legal exposure is immense. I would not endorse someone else's software simply because I don't want to get sued. Do I personally think the patch was better - probably. Would I install it on my own Oracle implementation - sure, after testing on my own baseline lab. Would my bosses sue Oracle if they recommended a 3rd party patch and it crashed us or introduced a security hole - you betcha!

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.