Oracle's less secretive approach to security

Oracle's less secretive approach to security

Oracle Tuesday fixed 45 security flaws in its database and application products, many of which could be remotely exploited by hackers without a username or password.

The latest quarterly round of patches is part of a concerted effort by Oracle to distance itself from the secretive approach the vendor used to take toward security, says Jon Oltsik, an analyst at Enterprise Strategy Group. Oracle has made big improvements over the past year, though it still doesn't live up to Microsoft's lofty standard of communication regarding security, Oltsik says.

Previously, Oracle "wouldn't talk about anything they were doing in security. ... and they weren't proactively talking to customers about what they were seeing," Oltsik says. Lately, "they've been more open, they've been more communicative and less confrontational with the research community."

Today's round of patches includes 14 security fixes for Oracle's E-Business Suite, six of which could be exploited without a username or password. The most dangerous of these vulnerabilities affects Oracle Customer Intelligence.

Oracle's PeopleSoft products are the subject of seven security fixes, in CRM, Enterprise PeopleTools and Enterprise Human Capital Management.

Oracle released 19 patches for Oracle database products to eliminate vulnerabilities in components such as Application Express, DataGuard, Data Mining, and SQL Compiler. Two vulnerabilities -- those in the Oracle Internet Directory and Program Interface -- could be exploited remotely without a username or password.

The rest of the vulnerabilities are in Oracle Application Server and Oracle Collaboration Suite.

Oracle has sometimes been criticized for patching serious vulnerabilities months after they are discovered. The company is taking steps to at least make it easier for customers to apply patches after they come out. This year, Oracle began notifying customers several days before security updates, to make it easier for them to plan ahead. Oracle's newest database management system, which was just announced, will allow customers to patch without taking systems offline.

But Oracle patches are often still released three months or more after vulnerabilities are reported, says Slavik Markovich, chief technology officer and vice president of research and development for Sentrigo, a database security vendor.

"Oracle is getting a lot better with patches. Historically, the main issue is they still have a very very complex product, Oracle database is very complex with lots of features," Markovich says.

Sentrigo's technology prevents hackers or disgruntled employees from taking advantage of vulnerabilities within the Oracle database product, even before patches come out, Markovich says. For example, Sentrigo can stop employees from stealing data they're not supposed to have access to, he says.

"We're monitoring every transaction in the database by using access to the shared memory," Markovich says.

But Sentrigo still recommends installing Oracle patches, and avoiding the addition of database features that are not needed, because this unnecessarily increases the attack surface. "We're not actually patching the database," Markovich says of Sentrigo's technology. "We can terminate and quarantine access [from unauthorized users]."

Oracle's customer service could still use some improvement, according to Oltsik. Oracle should take a cue from Microsoft, which is more willing to release emergency patches and make custom patches for specific customers, he says.

"What Microsoft has done effectively is increase the communication, increase support for special customers," Oltsik says. "That's the kind of customization that's the next step [for Oracle]."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments