The latest quarterly round of patches is part of a concerted effort by Oracle to distance itself from the secretive approach the vendor used to take toward security, says Jon Oltsik, an analyst at Enterprise Strategy Group. Oracle has made big improvements over the past year, though it still doesn't live up to Microsoft's lofty standard of communication regarding security, Oltsik says.
Previously, Oracle "wouldn't talk about anything they were doing in security. ... and they weren't proactively talking to customers about what they were seeing," Oltsik says. Lately, "they've been more open, they've been more communicative and less confrontational with the research community."
Today's round of patches includes 14 security fixes for Oracle's E-Business Suite, six of which could be exploited without a username or password. The most dangerous of these vulnerabilities affects Oracle Customer Intelligence.
Oracle's PeopleSoft products are the subject of seven security fixes, in CRM, Enterprise PeopleTools and Enterprise Human Capital Management.
Oracle released 19 patches for Oracle database products to eliminate vulnerabilities in components such as Application Express, DataGuard, Data Mining, and SQL Compiler. Two vulnerabilities -- those in the Oracle Internet Directory and Program Interface -- could be exploited remotely without a username or password.
The rest of the vulnerabilities are in Oracle Application Server and Oracle Collaboration Suite.
Oracle has sometimes been criticized for patching serious vulnerabilities months after they are discovered. The company is taking steps to at least make it easier for customers to apply patches after they come out. This year, Oracle began notifying customers several days before security updates, to make it easier for them to plan ahead. Oracle's newest database management system, which was just announced, will allow customers to patch without taking systems offline.
But Oracle patches are often still released three months or more after vulnerabilities are reported, says Slavik Markovich, chief technology officer and vice president of research and development for Sentrigo, a database security vendor.
"Oracle is getting a lot better with patches. Historically, the main issue is they still have a very very complex product, Oracle database is very complex with lots of features," Markovich says.
Sentrigo's technology prevents hackers or disgruntled employees from taking advantage of vulnerabilities within the Oracle database product, even before patches come out, Markovich says. For example, Sentrigo can stop employees from stealing data they're not supposed to have access to, he says.
"We're monitoring every transaction in the database by using access to the shared memory," Markovich says.
But Sentrigo still recommends installing Oracle patches, and avoiding the addition of database features that are not needed, because this unnecessarily increases the attack surface. "We're not actually patching the database," Markovich says of Sentrigo's technology. "We can terminate and quarantine access [from unauthorized users]."
Oracle's customer service could still use some improvement, according to Oltsik. Oracle should take a cue from Microsoft, which is more willing to release emergency patches and make custom patches for specific customers, he says.
"What Microsoft has done effectively is increase the communication, increase support for special customers," Oltsik says. "That's the kind of customization that's the next step [for Oracle]."