We disclosed this to Oracle on Oct. 25 last year. Around the same time, they were alerted to another high-risk flaw that is not as serious as this one. They fixed that one in the January CPU but neglected to fix this. It's not a case of not having enough time, because the fix is trivial and the risks are severe.

I don't think leaving their customers vulnerable for another 3 months (or perhaps even longer) until the next CPU [Critical Patch Update] is reasonable especially when this bug is so easy to fix and easy to workaround. Again, I urge all Oracle customers to get on the phone to Oracle and demand the respect you paid for.

SQL injection is probably today's biggest security issue. This problem has been known about for years, but seven out of ten Web applications are still vulnerable. I find it extremely frustrating.

They are well behind the curve at the moment.

The whole point of a regular patch cycle is that people can plan ahead and install once. But if you are having to install it nine times, where's the benefit of that?

It's quite astonishing how backwards they are in their approach to security.