Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Oracle's 'thrown in the towel' on database patching, researcher claims

But Oracle says it's already weeded out most bugs

A security researcher today criticized Oracle for neglecting to patch its core database products, noting that the massive update slated for later Tuesday will set a record for the fewest fixes.

Alex Rothacker, director of security research of Application Security's TeamShatter vulnerability group, said that Oracle has "thrown in the towel on fixing database vulnerabilities."

"Assuming the January 2012 CPU [critical patch updates] report stays the same as the preview, they will have set a new record low of just two database fixes," said Rothacker in an email today.

The preview Rothacker referred to was the pre-patch notification Oracle issued last week that said it would patch 78 vulnerabilities altogether , 27 of them in the MySQL database, but only two in its Oracle Database products.

The two patches beats the previous low of five database fixes that Oracle issued last October.

"The trend since January 2010 has been a straight line going down," said Rothacker in a Monday interview. "And it's not that those products are less vulnerable.

Rothacker cited nine bugs that his team has reported to Oracle over the last six to 12 months, but which have not yet been patched, as evidence that Oracle Database contains vulnerabilities.

Two or three of the nine, said Rothacker, are serious enough that his team of researchers rank them as high risks, and think should have been patched by now.

"There are still issues that they're not fixing," said Rothacker, "including several currently open in the Enterprise Manager, a tool where you can manage databases and apply patches."

Rothacker believes there's a correlation between the drop in database patches and Oracle's acquisition of Sun Microsystems.

"The drop in database fixes started around the time that Oracle acquired Sun and began issuing more fixes for its Fusion Middleware," said Rothacker.

Oracle announced plans to acquire Sun in April 2009, but did not receive blessing from U.S. and European Union antitrust regulators until later that year. The merger became official in January 2010.

Today's CPU will include 17 patches for Sun-branded products and 11 for Fusion Middleware.

Oracle has noted the drop in database patches, too, but offers a different explanation.

"As the Oracle Database Server code base has matured, Oracle's ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base," said Eric Maurice, director of the company's security assurance program, in a December 2011 blog post . "Unless circumstances change drastically -- as a result of, for example, the discovery of new exploit vectors -- we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced."

Maurice said that the number of vulnerabilities in its database line-up have decreased over the last three-to-four years, and that Oracle's secure coding efforts -- an initiative similar to Microsoft's Security Development Lifecycle (SDL) program -- have helped reduce the number of bugs in newer code.

Rothacker countered. "I just can't agree with that," he said today. "We're reporting about the same amount [of bugs] to them, but they're fixing fewer."

In 2011, Oracle patched five database vulnerabilities in October, 16 in July, and six each in April and January. All four CPUs issued in 2010 included database fixes in single digits, while the four in 2009 each contained a double-digit number of database patches.

Oracle today declined to comment on Rothacker's claims, but said it would publish commentary on today's CPU when it issues the update.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Apple, Google, Microsoft, MySQL, Oracle, SDL, Sun Microsystems, Topic
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: applications, databases, Malware and Vulnerabilities, mysql, oracle, security, software
Latest Blog Posts
Whitepapers
  • SOA Adoption for Dummies
    This book describes our approach to SOA adoption, which we call SOA rocket science. SOA adoption, like a real-world rocket, experiences a danger zone between blast-off and the weightlessness of orbit. When fully realized, SOA can transform your business. But until firmly established, your SOA dreams can plummet back to earth.
    Learn more »
  • Printer Usage and Cost Management Strategies for the Australian Mid-market, an Unrealised Opportunity
    This whitepaper was commissioned to aid senior business and ICT decision makers of medium-sized government and corporate organisations, including marketing, finance, and technology executives to better understand the current use of print devices including copiers, printers and multi-function Page 19 Reproductions in whole or in part are prohibited. This whitepaper also provides insights into how current management practices can be improved to optimise investments and improve sustainability. Read on.
    Learn more »
  • Top 5 Myths of Safe Web Browsing
    There are a lot of misconceptions out there about safe web browsing. You might think you're being safe. But without the facts it’s next to impossible to stay protected against today’s changing threats. In this paper we describe the top five myths of safe web browsing, what the facts really are, and what you can do to stay secure.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.