Oracle sure took its sweet old time patching this...

19 April 2007

Oracle is best known for its database system, which many thousands of companies make use of in some capacity or another. It's big, it's bad, it's complex, but it's also got some amazing features, like clustering and replication that many other databases (open source and otherwise) can't hold a candle to, assuming that you understand it well enough to make it work. It's a complex beast, no two ways about it. That complexity, however, is no excuse for them taking two years to patch a security vulnerability in Oracle 10. It's a cross-site scripting bug in the enterprise search subsystem, and XSS is a pretty common class of bug these days, but what gets my goat is that it was discovered around 5 April 2005 and reported to Oracle, but Oracle didn't actually release a security alert until 17 April 2007. Now, maybe I'm flying off the handle just a little bit. I've not even finished my first cup of coffee of the day. But finding out that a bug has gone unpatched for two years makes my blood boil just a little bit.