Hey all,
I don't know whether this helps serve any purpose or not, other than the
vent some of my own frustrations; however...
In the wake of the release of Alex Kornbrust's details on some Oracle
flaws there has been some discussion in various places about when I
supposedly did the same thing last year at Blackhat - i.e. release
information on Oracle bugs in the absence of a vendor supplied patch.
For the record, I did _not_ do this.
So, setting the record straight: I was due to present a talk that
centered around a batch of Oracle vulnerabilities at Blackhat last year.
I gave Oracle a heads up and explained that I intended to do so and
questioned whether the patches would be ready. On the day of the talk I
was informed by Oracle that the patches were not ready and so when I got
up on the stage I proceeeded to tell everyone exactly why I could no
longer do the talk. i.e. I can't do the talk because Oracle failed to
patch the problems I was going to talk about.
I did not discuss in any form or fashion the actual bugs.