Gartner Disses Oracle Security

By Lisa Vaas  |  Posted 2006-01-25 Print this article Print

Close on the heels of Oracle's latest critical patch update, Gartner publishes an advisory warning that, given the seriousness and the ease of exploit of the flaws involved, administrators have got to get over their laissez-faire attitude toward patching.

Close on the heels of Oracles latest critical patch update, Gartner has published an advisory warning that, given the seriousness and the ease of exploit of the flaws involved, administrators have got to get over their laissez-faire attitude toward patching. "Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur," Gartners Rich Mogull wrote. Oracle administrators have traditionally relied on their servers being well tucked behind firewalls, in addition to Oracles good record on strong security, and have thus oftentimes been slow to patch.
Oracle users often shrug at security woes. Click here to read more.
"Oracle databases have traditionally been located fairly deep within the enterprise," Mogull said in an interview with eWEEK. "People are now used to, when a CPU [Critical Patch Update] comes out, to wait days to patch. With Oracle, they tend to wait longer. These systems run well, these systems dont have downtime issues, so administrators wait a bit of time before installing patches. … Its fairly well-understood in the industry they dont patch as frequently" as users of other vendors software, he said. Beyond that, Mogull said, patching is sometimes impossible, given lack of support for legacy Oracle versions. "Oracle doesnt support products quite as long as some other vendors out there," he said. Hence, "many, many" clients are locked into older Oracle versions, since they rely on third-party applications that run on those older systems, he said. Regardless, the current laid-back attitude toward patching is unacceptable, Mogull said. "Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet," he wrote in the advisory. "At least on administrators side, its time to update their management practices a bit, to better prepare" for testing and patching, he said. This need for more nimble patching shouldnt be too onerous, given Oracles switch to a quarterly patch release, Mogull said—a circumstance that puts patching on a predictable, regular schedule. Next Page: Is a massive Oracle exploit inevitable?

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel