While some might find it amusing that a company accidentally disclosed a zero day vulnerability in its own software, you won’t if you are a Oracle database administrator.
Earlier this month Oracle released a “critical patch update” fixing 88 vulnerabilities in its wide assortment of database products.
Unfortunately one of the fixes for its TNS Listener service had stability issues and is only going to be fixed in future versions.
Still Oracle saw fit to say it was fixed, even though they have no intention of releasing a patch for it and all current versions remain vulnerable.
This sounds bad enough, but it gets worse. Joxean Koret, who discovered and disclosed the vulnerability to Oracle in 2008 saw the notice that the flaw was fixed and published a proof-of-concept exploit to the Full Disclosure mailing list.
Oracle isn’t exactly known for getting security right, but this is downright reckless. Taking four years to fix a serious vulnerability, and even then only committing that future releases, to be named, will fix it?
If you are responsible for securing Oracle DBs I would highly recommend creating extremely restrictive firewall rules for the TNS Listener service, or disable it entirely if it isn’t needed in your environment.
In other Oracle news, the Java JDK is now available for OS X Lion (10.7).
For Java neophytes, this is not the Java Plugin/Java Web Start components that integrate with your browser to allow you to launch Java applets.
It only works with 64 bit versions of Lion and is intended for development use. Earlier versions of OS X will not see a port coming from Oracle either.
This might be an indication that Oracle intends to supply their own JRE/Java Plugin/Web Start for Mac users in the future, which would make it easier for OS X users to stay current without relying on Apple.