Users should put pressure on Oracle to change the way it issues patches and call for workarounds in the light of the size of its latest quarterly security update, analyst company Gartner has urged.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Earlier this month Oracle issued a regular security update containing 82 patches.
Although Gartner supported Oracle's security patch cycle, research vice-president Rich Mogull said, "The range and seriousness of the vulnerabilities patched in this update cause us great concern."
He warned that the databases alone included 37 vulnerabilities. Many of these were rated as easily exploitable and some potentially allowing remote database access.
"Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur," Mogull said.
In Gartner's experience, Oracle database administrators generally neglect regular patching, because Oracle applications and databases are typically embedded deep within the enterprise, which makes changes difficult.
Mogull said patching could be impossible, owing to ties to legacy versions of software that were no longer supported. With exploit tools for Oracle security holes appearing more regularly on the internet, Mogull urged users to press Oracle to change its security practices and improve the patching process.
Duncan Harris, senior director of security assurance at Oracle, said the company had made changes to handle security bugs better. "Our plans are to keep trying to improve patches and the amount of testing we can do."
He said Oracle planned to make the patching process more automated.
Gartner's advice for Oracle users
- Move immediately to shield vulnerabilities announced in the Oracle security bulletin, using firewalls, intrusion prevention systems and other technologies
- Develop a shielding schedule
- Apply patches as rapidly as possible once they are released
- Use alternative security tools, such as activity-monitoring software to detect unusual activity
- Pressure Oracle to change its security management practices and provide more information on flaws.