Oracle’s Patch – Where Does A Vendor’s Responsibility End?
According to CNN, Oracle discovered an issue in 2012 that allowed hackers to compromise Oracle systems with this weakness. Some white hat hackers were wandering around the internet recently (in 2014) and discovered that some systems had not had this patch applied.
These hackers were able to access children’s school records, arrest records, the real names and numbers of intelligence agents, social security numbers and other private stuff. You get the idea – stuff that should not be public.
CNN asked Oracle about the issue and they said:
“We identified this issue two years ago. It was not a product coding defect allowing hackers to bypass security mechanisms. Instead, the product included a configuration setting allowing customers to disable security checks. Oracle identified that customers were leaving this setting open and immediately issued a patch that made the default setting for customers secure.
So basically, what Oracle is saying – and in their defense, this is no different from what most software vendors say – is that we issued a patch – for something which is not even a bug in the traditional sense – and it is up to our customers to install these patches. Our responsibility is over.
Legally, this is probably true – assuming that Oracle, given the typical software license agreement language, had any responsibility in the first place.
Maybe this bug is no worse than the hundred other bugs that Oracle patched last quarter. Likely it is worse than some and not as bad as others.
However, these customers are storing very sensitive information and it sounds like that at least some of them are government customers. The article provides some details on the customers and the type of information, but since these systems are not patched, the article is not naming organizations.
There is no easy answer to how to handle this, but it is certainly a topic worthy of public discussion. Some people would say the existing rules are too stringent; others would say they are too lax. I would say that the patchwork of state based laws is impossible to manage compliance with.
Lets see what happens.
Mitch Tanenbaum