A war of words between Oracle and a UK security researcher who issued his own workaround to a serious Oracle security vulnerability has highlighted a dilemma facing IT security professionals.
The workaround, the second third-party patch to appear in recent weeks, has left IT departments wondering whether they should apply third-party patches or risk leaving their systems vulnerable until suppliers catch up.
Last week, David Litchfield released a workaround for a critical flaw that could allow hackers to gain control of Oracle databases, after Oracle failed to rectify the problem in its January quarterly update.
"Oracle still has not released an official patch, so it is still leaving its customers at risk. It is a trivial thing to fix. If the company is still working on it, I do not understand why," Litchfield said last week.
Litchfield's company, NGS, has had feedback from several large organisations, including government departments, that have applied the workaround to protect their systems.
However, Oracle is advising its customers not to apply the patch, claiming Litchfield's workaround could damage some applications.
"Oracle does not recommend workarounds developed by third-party organisations, as these organisations generally are not able to appropriately test how the workaround may affect other products," it said.
Last month Microsoft users faced a similar issue when third-party developers issued patches for a flaw before an official fix was released.