Oracle has defended its security patching record following claims that it neglected addressing six potential security flaws in its enterprise software.
Last week, Oracle issued patches for almost 50 vulnerabilities in its products as part of its quarterly patching cycle, but Red-Database-Security published details this week of other potential flaws in Oracle Reports, Oracle Forms and other Oracle software.
The security company said it had warned Oracle of the security holes around two years ago and was publishing the details after growing impatient over a lack of action on the problems by Oracle.
Along with details of the threats, the security company also provided users with workarounds to stop attackers exploiting the vulnerabilities.
One of the reported flaws allows a hacker to overwrite files in Oracle Application Server (Oracle Reports is a component of this solution) – a threat rated as high risk by Red-Database-Security.
But Oracle defended its patching record and said it was disappointed at Red-Database-Security's disclosure. An Oracle spokesperson said, “When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems.
“Oracle’s policy is to fix security vulnerabilities in severity order – higher severity vulnerabilities are fixed as a priority over lower severity vulnerabilities.
“We believe the most effective way to protect customers is to avoid disclosing or publicising vulnerabilities before a patch or workaround has been developed. We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available.”
Red-Database-Security’s case is helped by the fact that it issued workarounds for its reported flaws, but its spat with Oracle illustrates that the debate over whether software threats should be made public by security researchers prior to a patch being released rumbles on.