Oracle using different process?

May 3, 2012 Top Security News Microsoft Warns Of Conficker Worm Threat The latest Microsoft Security Intelligence Report (SIR) has complied new data taken from over 600 million systems worldwide, and has found that iterations of... The State Of IT Security [Infographic] We all know about threats to the valuable data we store everyday, we hear about them all the time. There's always some anonymous hacker shutting down a website... Internet Explorer 9.0.6 Now Available, Fixes... I remember just a few years ago when Internet Explorer was the laughing stock of the browser community. It lacked the functionality that other browsers had while lacking even basic security functions. It's what... Oracle Offers Workaround After Confusion Leads To Zero-Day Disclosure By: Trevor Boland Many software developers offer bounty programs for their products. The concept is that someone finds an vulnerability and notifies the developers of the software for a reward. The point is to dissuade hackers from using the vulnerabilities by offering them something "better"(?). Of course one would think that, after the vulnerability is turned in and the reward given, the developer would scramble to correct the issue. Oracle seems to have a different process in place. The vulnerability, rated a 7.5 on the CVSS scale (0-10, 10 being severe), was found by Joxean Koret four years ago. Acting as a man-in-the-middle, the vulnerability allowed remote access to Oracle's 10g and 11g database versions without authentication. Obviously a rather large issue. Oracle seemingly sat on this until it's quarterly security update (2 weeks ago) where it seemingly fixed the bug, even crediting Koret in the "Security-in-Depth" program. Assuming the vulnerability corrected, Koret published a proof of concept, detailing the methods to using the flaw. After a few follow up emails, however, it turned out that Oracle's intention was to correct the flaw in future versions of it's software. The now published solution can be found here. About the Author: Trevor is a staff writer for the iEntry Network.

SecurityProNews is brought to you by: SecurityConfig.com NetworkingFiles.com ITmanagementNews.com NetworkNewz.com DatabaseProNews.com SQLProNews.com ITcertificationNews.com SysAdminNews.com LinuxProNews.com WirelessProNews.com About SecurityProNews SecurityProNews is updated in real time with vital internet security alerts, news and in-depth articles for IT Managers. SecurityProNews understands that IT Management Begins With Security.

	Advertising	Newsletters	Corporate Info	Site Map	Support
--This email is a service of SecurityProNews-- , Inc. 2549 Richmond Rd. Lexington KY, 40509 All Rights Reserved. Terms under which this service is provided to you. Read our privacy policy. Contact us. SecurityProNews is part of the iEntry Inc. Network of sites and newsletters.