Oracle's less secretive approach to security

Oracle's less secretive approach to security

Oracle Tuesday fixed 45 security flaws in its database and application products, many of which could be remotely exploited by hackers without a username or password.

The latest quarterly round of patches is part of a concerted effort by Oracle to distance itself from the secretive approach the vendor used to take toward security, says Jon Oltsik, an analyst at Enterprise Strategy Group. Oracle has made big improvements over the past year, though it still doesn't live up to Microsoft's lofty standard of communication regarding security, Oltsik says.

Previously, Oracle "wouldn't talk about anything they were doing in security. ... and they weren't proactively talking to customers about what they were seeing," Oltsik says. Lately, "they've been more open, they've been more communicative and less confrontational with the research community."

Today's round of patches includes 14 security fixes for Oracle's E-Business Suite, six of which could be exploited without a username or password. The most dangerous of these vulnerabilities affects Oracle Customer Intelligence.

Oracle's PeopleSoft products are the subject of seven security fixes, in CRM, Enterprise PeopleTools and Enterprise Human Capital Management.

Oracle released 19 patches for Oracle database products to eliminate vulnerabilities in components such as Application Express, DataGuard, Data Mining, and SQL Compiler. Two vulnerabilities -- those in the Oracle Internet Directory and Program Interface -- could be exploited remotely without a username or password.

The rest of the vulnerabilities are in Oracle Application Server and Oracle Collaboration Suite.

Oracle has sometimes been criticized for patching serious vulnerabilities months after they are discovered. The company is taking steps to at least make it easier for customers to apply patches after they come out. This year, Oracle began notifying customers several days before security updates, to make it easier for them to plan ahead. Oracle's newest database management system, which was just announced, will allow customers to patch without taking systems offline.

But Oracle patches are often still released three months or more after vulnerabilities are reported, says Slavik Markovich, chief technology officer and vice president of research and development for Sentrigo, a database security vendor.

"Oracle is getting a lot better with patches. Historically, the main issue is they still have a very very complex product, Oracle database is very complex with lots of features," Markovich says.

Sentrigo's technology prevents hackers or disgruntled employees from taking advantage of vulnerabilities within the Oracle database product, even before patches come out, Markovich says. For example, Sentrigo can stop employees from stealing data they're not supposed to have access to, he says.

"We're monitoring every transaction in the database by using access to the shared memory," Markovich says.

But Sentrigo still recommends installing Oracle patches, and avoiding the addition of database features that are not needed, because this unnecessarily increases the attack surface. "We're not actually patching the database," Markovich says of Sentrigo's technology. "We can terminate and quarantine access [from unauthorized users]."

Oracle's customer service could still use some improvement, according to Oltsik. Oracle should take a cue from Microsoft, which is more willing to release emergency patches and make custom patches for specific customers, he says.

"What Microsoft has done effectively is increase the communication, increase support for special customers," Oltsik says. "That's the kind of customization that's the next step [for Oracle]."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.




Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments