Remember Oracle's marketing campaign about how their software was "unbreakable"? Oracle has since back-peddled hard on saying things like "hackers can't break in" and "can't break it; can't break in" since they are demonstrably untrue, but one would think that a company making such claims would have security (and hence product patches) high on the priority list. Apparently not so for Oracle.
The situation for Oracle users gets continually worse; if you were worried about the fact that Oracle was hanging you out to dry by delivering patches on a "glacial" pace, you can probably take comfort in the fact that new research demonstrates that even if you were to keep up with the patches, that you probably wouldn't be protected anyway. Mary Ann, Oracle's CSO, has made the claim that it's really the researchers who are to blame for bad product security but I'm doubting that even Mary Ann can get that to fly in this case. I guess the argument could be made that it was researchers who noticed that the Oracle patching didn't work, but all in all, I think it was Oracle that dropped the ball on this one.
Maybe a new campaign from Oracle: "Unpatchable"?
Posted by Ed at August 22, 2005 10:01 AM