Exploitable bug in Oracle 10g databases
Posted by isilanes on November 10, 2007
I read in The Register that a zero-day vulnerability has been reported in Oracle 10g databases. I am by no means an expert in databases (“not an expert”, wow, what an understatement! I’m an ignorant), but I have my small war against people who regard proprietary DBs such as Oracle or IBM DB2 as far above free software alternatives such as MySQL or PostgreSQL. To put an example company with HUGE databases, Google uses MySQL. Actually, I just found in the previous link this post in an ex-Google employee’s blog, and I plan to show it to any half-wit parroting the motto that “big commercial solutions” are by default better than “hobbyist things” like free software (specially for DBs).
So, when I read the Register headline, I immediately thought of writing a post on how “bad” Oracle was. However, after actually reading the (short) article, I decided to change the main point of the post. Actually, what this case shows is how “bad” depending on proprietary software is. Quoting the Register article:
Oracle has reportedly created a fix but is not willing to break its quarterly patch release cycle to issue an update. The database giant’s next update is schedule for 15 January. In the absence of a patch no ready workaround is available, iDefense reports.
Holy crap! Oracle acknowledges that the bug is there, that it is dangerous, and that they do have a fix, but they friggin’ don’t want to release it!. Just because “it doesn’t fit” in their well-laid plans! No need to say that with free software this can not happen: there is no reason to hold on on bugfixes. And even if there was, anyone can write a patch, and release it, so there is no vendor locking the users to it, and deciding what to release and when.