Experienced Oracle database administrators say the company needs to be more proactive about sharing information about security loopholes and about plans for patch releases.
More than a few database administrators will likely spending at least part of their Labor Day weekend installing the security patches Oracle Corp. released Tuesday, or if not, they should be, according to one database administrator.
"I expect a lot of database administrators will be applying these patches over the next few days or over the long weekend coming up myself included," said Michael Wessler, a Web and database administrator with Perpetual Technology Inc., a consulting firm in Indianapolis.
On Tuesday, Oracle released its first monthly bundle of security patches
that address more than 30 vulnerabilities discovered by Next Generation Security Software Ltd. between January and February. The patches also cover another 20 loopholes that were recently discovered by Application Security Inc.
Oracle was silent about the security flaws for far too long, Database Center Editor Lisa Vaas writes. Click here to read more.
The patches are a high priority because they address critical vulnerabilities that have to be fixed sooner rather than later, Wessler said. This is especially true for Perpetual Technologys government clients, which include the U.S. Department of Defense, he said.
Wessler said he is particularly concerned that the patches involve virtually all of Oracles currently released database and Web application server products including Oracle 10g.
"What scares us the most," he said, is that to exploit the Oracle security loopholes, hackers dont need a valid network account they only need to access a target corporate network. "It makes you think that any bad guys out there can get onto your system no matter what kind of security you have imposed as long as they can get onto your network," Wessler said.
The patches address a number of vulnerabilities, and it will likely take a considerable amount of time to implement and test them, he said. "It would have been nice if Oracle would have provided a little more detail in the official documentation" about the potential dangers of the loopholes and about how the patches specifically address them, he said.
"I know I would prefer that they were providing these patches as they find them" rather than release them all at once, said Wessler.