Oracle's less secretive approach to security

Oracle's less secretive approach to security

Oracle Tuesday fixed 45 security flaws in its database and application products, many of which could be remotely exploited by hackers without a username or password.

The latest quarterly round of patches is part of a concerted effort by Oracle to distance itself from the secretive approach the vendor used to take toward security, says Jon Oltsik, an analyst at Enterprise Strategy Group. Oracle has made big improvements over the past year, though it still doesn't live up to Microsoft's lofty standard of communication regarding security, Oltsik says.

Previously, Oracle "wouldn't talk about anything they were doing in security. ... and they weren't proactively talking to customers about what they were seeing," Oltsik says. Lately, "they've been more open, they've been more communicative and less confrontational with the research community."

Today's round of patches includes 14 security fixes for Oracle's E-Business Suite, six of which could be exploited without a username or password. The most dangerous of these vulnerabilities affects Oracle Customer Intelligence.

Oracle's PeopleSoft products are the subject of seven security fixes, in CRM, Enterprise PeopleTools and Enterprise Human Capital Management.

Oracle released 19 patches for Oracle database products to eliminate vulnerabilities in components such as Application Express, DataGuard, Data Mining, and SQL Compiler. Two vulnerabilities -- those in the Oracle Internet Directory and Program Interface -- could be exploited remotely without a username or password.

The rest of the vulnerabilities are in Oracle Application Server and Oracle Collaboration Suite.

Oracle has sometimes been criticized for patching serious vulnerabilities months after they are discovered. The company is taking steps to at least make it easier for customers to apply patches after they come out. This year, Oracle began notifying customers several days before security updates, to make it easier for them to plan ahead. Oracle's newest database management system, which was just announced, will allow customers to patch without taking systems offline.

But Oracle patches are often still released three months or more after vulnerabilities are reported, says Slavik Markovich, chief technology officer and vice president of research and development for Sentrigo, a database security vendor.

"Oracle is getting a lot better with patches. Historically, the main issue is they still have a very very complex product, Oracle database is very complex with lots of features," Markovich says.

Sentrigo's technology prevents hackers or disgruntled employees from taking advantage of vulnerabilities within the Oracle database product, even before patches come out, Markovich says. For example, Sentrigo can stop employees from stealing data they're not supposed to have access to, he says.

"We're monitoring every transaction in the database by using access to the shared memory," Markovich says.

But Sentrigo still recommends installing Oracle patches, and avoiding the addition of database features that are not needed, because this unnecessarily increases the attack surface. "We're not actually patching the database," Markovich says of Sentrigo's technology. "We can terminate and quarantine access [from unauthorized users]."

Oracle's customer service could still use some improvement, according to Oltsik. Oracle should take a cue from Microsoft, which is more willing to release emergency patches and make custom patches for specific customers, he says.

"What Microsoft has done effectively is increase the communication, increase support for special customers," Oltsik says. "That's the kind of customization that's the next step [for Oracle]."

Follow Us

Join the newsletter!

Error: Please check your email address.



Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments