Security News > 2011 > April > Oracle hedging its vulnerability reports?

http://www.computerworld.com/s/article/9216213/Oracle_hedging_its_vulnerability_reports_ By Joab Jackson IDG News Service April 27, 2011 Oracle may be subtly misleading customers about the severity of some of the vulnerabilities found in its database software, according to researchers from database security software provider Application Security (AppSec). "Oracle likes to downplay the risk of its vulnerabilities," said Alex Rothacker, director of security research for AppSec. As a result, organizations using Oracle's vulnerability ratings to prioritize system updates may unduly delay applying some critical patches, he said. Every three months, Oracle bundles and releases patches to fix recently discovered vulnerabilities in its software products. The company rates the severity of these vulnerabilities using the Common Vulnerability Scoring System (CVSS) industry standard. AppSec's concern centers around a unique rating that Oracle has added onto its CVSS scores, called Partial+. A CVSS rating is single score, ranging form 1 to 10, that summarizes the severity of a vulnerability. The score itself is an average of a set of scores that evaluate the different aspects of a vulnerability's severity. [...] ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/

News URL

http://www.computerworld.com/s/article/9216213/Oracle_hedging_its_vulnerability_reports_