The last few months have really taken the shine off Oracle's reputation for building secure products. The latest spat between Duncan Harris (Oracle) and David Litchfield (Next-Generation Security Software) looks like shaping up into a fine old row.
Yesterday Pete Finnegan advised everybody using iAS to apply David Litchfield's workaround immediately. However,Robert Lemos owver at Security Focus reports Oracle's Harris as saying something along the lines that Litchfield's workaround is inadequate and "the configuration changes have at least five technical problems that could cause problems for some applications" (paraphrase by Security Focus not Harris's actual words). Harris recommends testing it before deploying to a production server. This is obviously sensible advice.
Whether Oracle going toe-to-toe with security researchers is a sensible strategy is slightly less obvious.