Third-party Oracle fix dilemma


Third-party Oracle fix dilemma

Bill Goodwin

A war of words between Oracle and a UK security researcher who issued his own workaround to a serious Oracle security vulnerability has highlighted a dilemma facing IT security professionals.

The workaround, the second third-party patch to appear in recent weeks, has left IT departments wondering whether they should apply third-party patches or risk leaving their systems vulnerable until suppliers catch up.

Last week, David Litchfield released a workaround for a critical flaw that could allow hackers to gain control of Oracle databases, after Oracle failed to rectify the problem in its January quarterly update.

"Oracle still has not released an official patch, so it is still leaving its customers at risk. It is a trivial thing to fix. If the company is still working on it, I do not understand why," Litchfield said last week.

Litchfield's company, NGS, has had feedback from several large organisations, including government departments, that have applied the workaround to protect their systems.

However, Oracle is advising its customers not to apply the patch, claiming Litchfield's workaround could damage some applications.

"Oracle does not recommend workarounds developed by third-party organisations, as these organisations generally are not able to appropriately test how the workaround may affect other products," it said.

Last month Microsoft users faced a similar issue when third-party developers issued patches for a flaw before an official fix was released.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy