My last post discussed responsible disclosure focusing on the Oracle 0-day exploit. When the exploit was published, Oracle was quick to release an advisory with an unusual (probably the first in a decade) recommendation for a workaround. Now, a few days later, Oracle is issuing (its first in a very long time) out-of-cycle patch to protect against this vulnerability. In its updated advisory Oracle is urging customers to immediately install the patch, rather than use the workaround.
My (eternal) question is WHY?
If I can apply (a convenient) workaround, outside of the server why should I mess with the server software? Especially when the said patch was evidently compiled in a rush? To help me prove my point Oracle just sent a letter to its customers, notifying them that some of the patch sets released in July were incorrectly compiled and do not solve all the problems that they were supposed to. Why is Oracle not providing enough information to its customers that would allow them to make an educated, conscious, decision as to whether to use the work around or immediately install the patch?
Actually, I already know Oracle's response to my question - "We do not divulge any technical details to avoid hackers from quickly exploiting it." Which in this particular case is completely ridiculous as exploit code has already been published.
Oracle is not alone in its "patch and don't ask questions" paradigm. Most major software vendors resort to this same behavior. One vendor that is trying to improve on its disclosure policy is Microsoft who recently announced its Microsoft Active Protections Program (MAPP). This is the company's initiative of an early disclosure program shared with its affiliates in order for these partners to make the relevant preparations. We cannot evaluate yet the effectiveness of such a program but I do think that other large vendors should join in with a similar approach, allowing standalone security solutions to provide timely workarounds while enterprises plan their patching cycles in an orderly manner.
- Amichai
Leave a comment