Too late
Recently I’ve decided to remove my previous post because things turned out to be worse than I expected. Briefly speaking, April 2006 CPU released by Oracle Corp. does not solve the problem: unfortunately, that serious vulnerability is still relevant.
Now, I must stress: at the moment I published my previous post, I was pretty sure that problem is nearly fixed: Oracle Support told me that "it’s well-known security vulnerability that will be solved by April CPU". That CPU is already released, however, as I already mentioned, it does not suggest a fix to that issue. Seems that Oracle support guys didn’t get me right from the very beginning, but I’m not going to speculate about possible reasons...
And now, I feel that I’m in a tricky situation of some kind: being sure that the problem is about to be fixed soon, I published pretty critical information here. Though I didn’t mention any details, it’s still critical I think.
So I decided to remove it once and forever, but then I eventually discovered that it’s just too late. The same web page, http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html, was updated days ago with information from my blog. For sure, I don’t know Alexander Kornbrust personally (a man who seem to head up that company) but I believe that he understands responsibility and won’t publish any critical details on his website.
It seems that there’s no way back, and it obviously does not make me happy. So I am leaving my previous post "as it is", with sincere hope for better future.
Andrew.
Now, I must stress: at the moment I published my previous post, I was pretty sure that problem is nearly fixed: Oracle Support told me that "it’s well-known security vulnerability that will be solved by April CPU". That CPU is already released, however, as I already mentioned, it does not suggest a fix to that issue. Seems that Oracle support guys didn’t get me right from the very beginning, but I’m not going to speculate about possible reasons...
And now, I feel that I’m in a tricky situation of some kind: being sure that the problem is about to be fixed soon, I published pretty critical information here. Though I didn’t mention any details, it’s still critical I think.
So I decided to remove it once and forever, but then I eventually discovered that it’s just too late. The same web page, http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html, was updated days ago with information from my blog. For sure, I don’t know Alexander Kornbrust personally (a man who seem to head up that company) but I believe that he understands responsibility and won’t publish any critical details on his website.
It seems that there’s no way back, and it obviously does not make me happy. So I am leaving my previous post "as it is", with sincere hope for better future.
Andrew.
posted by Andrew Max at 9:58 AM
0 Comments:
Post a Comment
<< Home