Single patch with multiple fixes issued for core enterprise productsl Security firms report rise in exploits against enterprise applications
Oracle is to issue monthly security patches for its Database, Application Server and Enterprise Manager products, as security experts report an increase in attacks on core enterprise applications.
Previously, Oracle issued software patches whenever they were required. But it has now changed this policy. "We believe a single patch encompassing multiple fixes, on a predictable schedule, better meets the needs of our customers," the company said.
Industry experts said Oracle's change in policy highlighted a trend of hackers attacking key business applications.
Nick Bleech, head of security management services at KPMG, said, "We are seeing much more emphasis on deliberate attacks on applications. IT security has focused on infrastructure such as e-mail and the internet, rather than business processes. We need to remind people that it is the data that is at risk."
Steve Knight, marketing manager at penetration testing firm ProCheckUp, said, "Many companies still fail to understand that the database server is often the core of the company data, and although they will house it in very secure and expensive datacentres, they often do not take the relatively simple steps required to protect it from external attack."
He added that over the past 12-18 months, ProCheckUp had seen a rise in database exploits, such as SQL insertion, which are now present in 65% of penetration tests, up from 40%.
Oracle was criticised by some users for moving slowly to patch security holes that were reported in January. But it said the delay was necessary because its policy required significant security issues to be fixed on all supported releases and platforms.
In August, David Litchfield, managing director of UK-based Next Generation Security Software, claimed to have found 34 security vulnerabilities in past and existing versions of Oracle's database software.
In June, Integrity, which sells security tools for Oracle products, said it had detected multiple, highly critical vulnerabilities in Oracle E-Business Suite and Oracle Applications.
In response, Oracle said, "Security is a matter we take seriously and, while we stand firmly behind the inherent security of our products, we are always working to do better."
Oracle said it would release critical patches for Oracle Database, Oracle Application Server, and Oracle Enterprise Manager patch by 31 August, and issue an alert when all the patches have been completed.
Oracle's change mirrors Microsoft's move to monthly patching from weekly updates last year.