A security expert from Red Database Security has blasted Oracle's patching policy, and released details about six security vulnerabilities by way of a protest. 

According to the Red Database website, the flaws were first reported to Oracle nearly two years ago.

"It seems that Oracle is not interested in fixing and providing patches for this issue. If you think you need a patch to protect your Oracle Application Server you should contact Oracle," wrote Alexander Kornbrust in the security reports. 

The flaws affect Oracle Forms and Oracle Reports that ship as part of Oracle 9i and 10g Application servers and Developer suites.

Security website Secunia gave the flaws a ranking of moderately critical, the third level on a 5-level scale. 

At least one of the flaws provides a way for hackers to take control of a system running the Oracle application.

Red Database claims to have sent Oracle a reminder about the flaws on 15 April, threatening to publish the details if the flaws were not addressed in the company's July patch update.

Kornbrust released details about the security holes out of frustration over Oracle's refusal to issue a patch, and to provide details about workarounds that mitigate the risk.

Unveiling the security holes challenges the database vendor's claim to making software that is 'unbreakable', but as a nasty flipside could attract hackers to exploit the flaws.

A spokesman for Oracle told vnunet.com that the company responds to software flaws "as quickly as possible", and that he would have preferred Kornbrust to wait.

"We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available, " he said.