Oracle: Three years and ten months without a patch
Posted by jericho
David Litchfield posted to Full-Disclosure pointing out more Oracle errata: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0449.html
From: David Litchfield (davidl@ngssoftware.com)
To: ntbugtraq@listserv.ntbugtraq.com, bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Date: Tue, 15 Nov 2005 13:12:41 -0000
Subject: [Full-disclosure] Three years and ten months without a patch
Whilst looking over old Oracle bugs I discovered that a fully patched 8.1.7.4 Oracle server is still vulnerable to the old extproc flaw; this flaw, when exploited, allows a remote attacker without a userID and password to take control of the server. Why, you may ask, has a supported product gone for so long without a patch for a serious problem that was made public 3 years and 10 months ago and reported to Oracle over 4 years ago?
[..]
Litchfield’s mail contains a link to additional commentary with an answer to the question above. Oracle can spin this how they please, but I think Litchfield has hit the nail on the head.
Seeking an answer to this I found the following in Alert 57:
Currently, due to architectural constraints, there are no plans to release a patch for versions 9.0.1.4, 8.1.7.4, 8.1.6.x, 8.1.5.x, 8.0.6.3, 8.0.5.x, 7.3.x, or other patchsets of the supported releases.
What? Wait a minute. They managed to fix the flaw and deal with the same “architectural constraints” in other versions - why not 8.1.7.4? A cynical observer might conclude that Oracle have deliberately left this unpatched in order to improve the chances of their user base upgrading to a version of Oracle that has a patch and having to part with more money. Oracle customers running 8.1.7.4, or any of the versions listed above would be right to feel indignant. This is exactly the kind of thing I was referring to when I posted this open letter.