Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Grant talks about securing Forms applications with SSL"] [Next entry: "Oracle has been silently fixing security bugs in CPU July 2005"]

Internet News talks about Oracles latest Critical Patch Update



I was looking around the net tonight at all the usual suspects looking for any new Oracle security news when I found another news story about the July CPU published today, 14 July, written by Jim Wagner and titled "Oracle Issues Critical Patch". This article starts with some facts gleaned from the CPU July advisory and then goes on to quote CERT's response to the patch set and advisory. There is then some very interesting discussions on Oracles non-disclosure policy and some comparisons are made with other manufacturers such as The Mozilla Foundation and also Microsoft. Michael Sutton is quoted as saying Oracle do not make it easy for customers to decide what to patch as there is not good enough information released to allow customers to decide whether to patch or not. He goes on further to talk about patch reverse engineering to find out what is fixed and that this method can be used to write exploits by hackers.