IDG News Service - A German security firm has published details of six security vulnerabilities in Oracle Corp.'s software, three of them high-risk, that it says were not fixed in an Oracle security update earlier this month.
The decision to publish the vulnerabilities, which affect Oracle Reports, Oracle Forms and some other Oracle products indirectly, raises again the issue of whether security experts should disclose holes in products before vendors have patched them.
Security firm Red-Database-Security GmbH, which specializes in Oracle products, said it reported the holes to Oracle almost two years ago. The database vendor acknowledged that they exist but has still not patched them, according to Alexander Kornbrust, a business director at Red-Database-Security in Neunkirchen, Germany.
Kornbrust warned Oracle in April that if it did not fix the bugs with its next round of security patches Red-Database-Security would publish details about them. Oracle released the quarterly patch update last week, fixing 49 holes in various products. It did not fix the bugs uncovered by Red-Database-Security, however, so the security firm released details of them yesterday.
Red-Database-Security describes three of the bugs as high-risk, two as medium and one as low. One of the high-risk flaws makes it possible for a hacker to overwrite files in the Oracle Application Server, according to Red-Database-Security. Oracle Reports is a component of the Oracle Application Server and is also used by its E-Business applications suite.
The holes are not hard to exploit and affect all recent versions of the products, according to Kornbrust. "In one case all you have to do is type in a URL," he said. More information, including the work-arounds, is available online.
In a statement, Oracle said it takes security seriously and its policy is to fix vulnerabilities in order of severity, starting with high-priority issues, it said.
"We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available," the company said.
An Oracle spokesman declined further comment.
Security firms have come under fire for releasing details of unpatched security flaws. Some experts argue that if vendors do not patch their products in a reasonable amount of time, customers have a right to know that vulnerabilities exist. Others say that security firms never help customers by publishing information about still-vulnerable products.
Kornbrust noted that he released a work-around to fix each of the vulnerabilities he published. He said he chose not to publish details of other vulnerabilities because he does not have a work-around for them.
"I also offered [Oracle] additional
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
