Oracle critiqued again over patching speed

Bug hunter David Litchfield releases details on a flaw in Oracle products on a mailing list.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers

Bug hunter David Litchfield on Wednesday provided limited details on a new, unpatched security flaw in Oracle software. The problem lies in the PLSQL Gateway, a component of the Oracle Internet Application Server, the Oracle Application Server and the Oracle HTTP Server, he said in an e-mail to the BugTraq mailing list. Litchfield is co-founder of U.K.-based Next Generation Security Software and one of Oracle's most vocal critics.

The flaw can be exploited by an attacker to gain full administrator-level control of a database server through a Web server, Litchfield wrote. He provides a workaround in the mail so Oracle users can protect themselves against attacks. The flaw was reported to Oracle on Oct. 26. Litchfield had hoped that Oracle would provide a fix or a workaround on its recent patch release day. "They failed to do so," he wrote.