In other words, the original software that we/you are buying does not  come with any warranty.  Software is the only product in the world that  does not provide any warranty despite it being so dynamic and  progressive.  Not to mention EXPENSIVE.  Ironic isn't it?

I've written numerous hardware and software flaw related articles but  this story takes the cake.

A German security researcher said Oracle Corporation failed to fix Six  (6) vulnerabilities despite having more than 650 days to issue a patch.   Five (5) of which were found in Oracle Reports and One (1) in Oracle  Forms.  The flaws are classified as high risk, allowing remote  attackers  to compromise a server, overwrite files or conduct cross site scripting  attacks.  Both Oracle Reports and Oracle Forms are integrated into  Oracle's 9i and 10g Application Server and E-Business Suite

Alexander Kornbrust who works for Red Database Security said he sent  details of the Two (2) flaws to Oracle 693 days ago, the third 706 days  ago, the fourth 663 days ago, the fifth 664 days ago and the sixth 692  days ago.  An average of 650 days or almost Two (2) years.  Kornbrust  added that he told Oracle of the bugs between July and September of  2003.  What year are we in now?

Kornbrust revelation drew support from the other security experts as  well.  eEye Digital Security product manager Steve Manzuik said the  time  taken to patch the issue is extreme and is the longest time any  software  maker has taken to solve product flaws (previous is about 370 days).   iDefense lab director Michael Sutton said that the reported incident is  one of the worst examples he has seen of a software vendor not  responsibly addressing known vulnerabilities.  Security specialist Pete  Finnigan said there may be as much as 250 reported unfixed flaws in  Oracle products and the reason maybe is Oracle don't have enough  security people in-house to fix the bugs.  (visit  http://secunia.com/advisories/15991/ for a complete list of Oracle product vulnerabilities)

In a separate occasion, Kornbrust also revealed that the encryption  features that come standard with Oracle's database called DBMS Crypto  and DBMS Obfuscation Toolkit can also be bypassed.  Kornbrust said that  the problem lies with the design of Oracle's encryption mechanism where  it stores unencrypted numbers, called "keys" which can be seen by an  attacker and then be used to read sensitive data.  Kornbrust found a  way  to read the keys.

Oracle said in a statement that the company responds as quickly as  possible to help protect information secured by customers in  Oracle-based information systems.   Oracle also said that they are  disappointed when any details of Oracle product security  vulnerabilities  are released to the public before patches can be made available.  The  company added that the most effective way to protect customers is to  avoid disclosing or publicizing vulnerabilities before a patch or  workaround has been developed.  Somebody ought to give Oracle a  calendar  for them to realize the duration of 650 days and a dictionary for them  to understand what "as quickly as possible" means.  Maybe Two (2) years  is Quick for Oracle?  Five(5) years is Quicker? and Ten(10) years  Quickest?

Will issuing a patch solves Oracle's woes?  YES, for as long as it is a correct patch.  Oracle recently released Two(2) sets of database  patches  wherein one of the fix is to fix an earlier set of patches.  So it's a  new patch for an old patch of an older patch?  Oracle said they missed  a  step in the installation script of the April Critical Patch Update  (CPU)  that causes a jar file not to be uploaded to the database.  Oracle  again  issued another advisory stating that they discovered a flaw in its July  CPU.  So when will this all end?  The product is flawed, and then you  issue a patch that is flawed as well?

This clearly demonstrates that Oracle is now in a disarray.  Not  because  they don't know what they're doing but because they have a lot of  things  to do.  Remember the acquisitions they made?  Oracle is now scampering  to bring together the technologies of Oracle and Peoplesoft (who bought  J.D. Edwards) into one called "Project Fusion".  Oracle also acquired  Retek, Oblix, I-Flex, and others.  With SAP, Microsoft, QAD, Epicor  Software, SSA Global and Lawson Software all targeting PeopleSoft and  J.D. Edwards clients, Oracle has no choice but to work overtime and put  all it's resources to finish Project Fusion.  They have neglected the  very product that brought them to where they are now.  So what do you  call the people working for Project Fusion?  The "conFUSION Team" what  else. (CON means Connect).

A reminder to all software vendors : Companies and users buy your  products for Two(2) reasons - they believed in your products and they  trust you.  They believe your products will help them become more  successful in business and they trust that you will support them till  the end.  While it's true that you don't offer or provide any  warranties  to your products (it's like use it at your own risk), the trust that  clients accorded you is something you should protect at all cost.   Unfixed software flaws with the intention of keeping it a secret is  clearly a "Betrayal of Trust".  

I emailed (August 12, 2005) Oracle Philippines for clarification but  they didn't bother to respond.  Perhaps it is still part of their  corporate strategy not to respond to questions because they still need  to patch their answers.  In Two (2) years maybe, I'll get an answer  from  them.  Just guessing.

Now it can be said - Oracle was never "Unbreakable". Not only is it  "BREAKABLE" but also  "PENETRATABLE".  Fix the problem my friends.

Am logging off.  God Bless us all!!!

*****
Announcement :
We would like to invite our readers to attend the Microsoft Office 2003  Powertips seminar on September 14, 2005 at the Makati Shangrila Hotel.  Simply register online at  http://www.microsoft.com/philippines/powertips/ or you can buy your  tickets at all SM TicketNet outlets.

For your questions, comments, suggestions, press releases and stories,  please e-mail techtvhost@yahoo.com or visit www.infochat.com.ph for  more  articles.

**********