Menu
Oracle's less secretive approach to security

Oracle's less secretive approach to security

Oracle Tuesday fixed 45 security flaws in its database and application products, many of which could be remotely exploited by hackers without a username or password.

The latest quarterly round of patches is part of a concerted effort by Oracle to distance itself from the secretive approach the vendor used to take toward security, says Jon Oltsik, an analyst at Enterprise Strategy Group. Oracle has made big improvements over the past year, though it still doesn't live up to Microsoft's lofty standard of communication regarding security, Oltsik says.

Previously, Oracle "wouldn't talk about anything they were doing in security. ... and they weren't proactively talking to customers about what they were seeing," Oltsik says. Lately, "they've been more open, they've been more communicative and less confrontational with the research community."

Today's round of patches includes 14 security fixes for Oracle's E-Business Suite, six of which could be exploited without a username or password. The most dangerous of these vulnerabilities affects Oracle Customer Intelligence.

Oracle's PeopleSoft products are the subject of seven security fixes, in CRM, Enterprise PeopleTools and Enterprise Human Capital Management.

Oracle released 19 patches for Oracle database products to eliminate vulnerabilities in components such as Application Express, DataGuard, Data Mining, and SQL Compiler. Two vulnerabilities -- those in the Oracle Internet Directory and Program Interface -- could be exploited remotely without a username or password.

The rest of the vulnerabilities are in Oracle Application Server and Oracle Collaboration Suite.

Oracle has sometimes been criticized for patching serious vulnerabilities months after they are discovered. The company is taking steps to at least make it easier for customers to apply patches after they come out. This year, Oracle began notifying customers several days before security updates, to make it easier for them to plan ahead. Oracle's newest database management system, which was just announced, will allow customers to patch without taking systems offline.

But Oracle patches are often still released three months or more after vulnerabilities are reported, says Slavik Markovich, chief technology officer and vice president of research and development for Sentrigo, a database security vendor.

"Oracle is getting a lot better with patches. Historically, the main issue is they still have a very very complex product, Oracle database is very complex with lots of features," Markovich says.

Sentrigo's technology prevents hackers or disgruntled employees from taking advantage of vulnerabilities within the Oracle database product, even before patches come out, Markovich says. For example, Sentrigo can stop employees from stealing data they're not supposed to have access to, he says.

"We're monitoring every transaction in the database by using access to the shared memory," Markovich says.

But Sentrigo still recommends installing Oracle patches, and avoiding the addition of database features that are not needed, because this unnecessarily increases the attack surface. "We're not actually patching the database," Markovich says of Sentrigo's technology. "We can terminate and quarantine access [from unauthorized users]."

Oracle's customer service could still use some improvement, according to Oltsik. Oracle should take a cue from Microsoft, which is more willing to release emergency patches and make custom patches for specific customers, he says.

"What Microsoft has done effectively is increase the communication, increase support for special customers," Oltsik says. "That's the kind of customization that's the next step [for Oracle]."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments