Analyst: Oracle not on the ball


A Gartner analyst has slammed Oracle over its security updates, saying users should be vigilant of threats to the software.

"(This) shows Oracle can no longer be considered a bastion of security," analyst Rich Mogull said Monday on the Gartner website. "Database and application managers must begin protecting and maintaining Oracle systems more aggressively."

Last week, as part of its quarterly patch update, this time called "critical," Redwood Shores, Calif.-based Oracle issued fixes for 82 flaws in a number of its products, including Oracle Database. In its previous patch update in October, the company fixed more than 80 other vulnerabilities.

"Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate," Mogull said, "and exploit tools and proof-of-concept code are appearing more regularly on the internet."

Mogull said enterprises must institute additional safeguards, as Oracle products are not immune to malware attacks.

"The range and seriousness of the vulnerabilities patched in this update cause us great concern," Mogull said. "The database products alone include 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access. Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur."

Mogull recommended Oracle users shield their systems as effectively as possible, using intrusion prevention systems and firewalls. Also, they should implement fixes as quickly as possible.

Finally, he urged enterprises to encourage Oracle to revise its security management practices.

Several security experts have criticized Oracle for failing to recommend workarounds, not promptly issuing patches or holding off on addressing other vulnerabilities altogether.

In fact, data security firm Imperva, which discovered a vulnerability in Oracle software that could enable users with basic access to take over a network as database administrators, criticized the software giant last week.

Oracle issued a patch, as part of its January update, which provides a default account and password checking utility that helps customers secure certain default database accounts.

"During that time there was no recommended workaround for this undisclosed and unpatched vulnerability," Imperva said. "While the complexity of modern database platforms may necessitate such delays, they are not acceptable for companies who rely on databases to run their business."

Oracle has said its policy is to issue patches in order of their severity.

In November 2004, Oracle began issuing updates four times a year. At the time, company CSO Mary Ann Davidson said quarterly releases would not leave users exposed for long but also would not overwhelm them with the need for constant fixes.

An Oracle spokesperson could not be reached for comment today.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.