[ISN] Oracle hedging its vulnerability reports?

From: InfoSec News <alerts_at_private>
Date: Thu, 28 Apr 2011 02:32:55 -0500 (CDT)
http://www.computerworld.com/s/article/9216213/Oracle_hedging_its_vulnerability_reports_

By Joab Jackson
IDG News Service
April 27, 2011

Oracle may be subtly misleading customers about the severity of some of 
the vulnerabilities found in its database software, according to 
researchers from database security software provider Application 
Security (AppSec).

"Oracle likes to downplay the risk of its vulnerabilities," said Alex 
Rothacker, director of security research for AppSec. As a result, 
organizations using Oracle's vulnerability ratings to prioritize system 
updates may unduly delay applying some critical patches, he said.

Every three months, Oracle bundles and releases patches to fix recently 
discovered vulnerabilities in its software products. The company rates 
the severity of these vulnerabilities using the Common Vulnerability 
Scoring System (CVSS) industry standard.

AppSec's concern centers around a unique rating that Oracle has added 
onto its CVSS scores, called Partial+. A CVSS rating is single score, 
ranging form 1 to 10, that summarizes the severity of a vulnerability. 
The score itself is an average of a set of scores that evaluate the 
different aspects of a vulnerability's severity.

[...]


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Received on Thu Apr 28 2011 - 00:32:55 PDT

This archive was generated by hypermail 2.2.0 : Thu Apr 28 2011 - 00:41:26 PDT