Re: So whats up with the 11.2 java security hole?

From: Vladimir M. Zakharychev <>
Date: Mon, 8 Feb 2010 13:00:38 -0800 (PST)
Message-ID: <>

On Feb 8, 10:18 pm, John Hurley <> wrote:
> On Feb 8, 10:52 am, "Vladimir M. Zakharychev"
> <> wrote:
> snip ...
> > [rant]
> > Well, the weekend's over, been 4 (if I didn't miscalculate) days since
> > disclosure and guess what - no alert from Oracle still. Neither public
> > at, nor
> > paying-customer-only at MOS, nor on their security blogs... Even a
> > simple acknowledgment that they are aware and are working on a fix
> > would do at this point... Do they think that if they just ignore the
> > threat it will eventually go away? Or are they too busy rebranding Sun
> > sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
> > heritage, full-fledged user-friendly backdoor, even no need to compose
> > and inject shellcode to instantiate one of your own...)
> > [/rant]
> It does seem quite curious doesn't it.
> No worries though because Mary Ann has our back right?
> How long until the auditors start asking questions ( as they are
> supposed to do )?

Compare that to recent Microsoft attitude towards serious security issues, especially 0-day. They typically publish bulletins within hours just to let their customers know they take the matter seriously. Every such issue damages their reputation and affects their bottom line. Sure, impact of any Microsoft security bug is very wide - and they accepted the responsibility. But impact of an enterprise database bug of such magnitude is probably even more devastating because it hits right in the heart of an enterprise. How they can remain quiet and pretend nothing happens is beyond me. But thanks to David, now I'm forewarned and thus forearmed.

M-A.D. seems to be more concerned with the process than with deliverables I.M.O... She will probably start ranting about how irresponsible it was of David to disclose the issue without giving them time to cook a fix, and how this doesn't help security community and how damaging such disclosures are to Oracle customers, etc. I have a feeling she truly believes in security by obscurity.

She sure has her back covered, but I am not so sure about mine... David's presentation starts with some figures and rates - well, that wasn't new to me, but it's sad to see nothing changed over the last few years. The attitude didn't change. No SCS, laws or education can fix that.


   Bob Received on Mon Feb 08 2010 - 15:00:38 CST

Original text of this message