However, both Kornbrust and Kramer expressed concern that Oracle customers might not appreciate the seriousness of the security hole fixed by the DB18 patch. "If you look at the fix theyve published, theres not a lot of information at all," Kramer said. "Its kind of unclear whats going on. Theyre not really giving enough information to customers.""People are saying that the CPU in January was not that severe, but its really important to apply [DB18]," Kornbrust said. Details of the Oracle patches can be difficult for less technical staff to interpret, Merar agreed. "A lot of people arent that technical, and its difficult for them to understand what [the patch fixes]," he said. Oracle has become the focus of increasing criticism from security experts for faulty patches and what some consider sluggish response to reports of security holes in its products. Oracle is going public with its recipe for "unbreakable" code. Click here to read more. On Monday, Gartner issued a research note saying that the most recent CPU, which patched 82 software holes across the companys product lines, shows that Oracle "can no longer be considered a bastion of security." Oracle has defended the security of its code and its internal processes for spotting security holes. The company cites its long tradition of secure development, its recent changes, like the introduction of automated static code analysis tools, and the shift to quarterly patches as evidence that it takes security seriously. Editors Note: This story was updated to include more information about how the exploit works and comment from Oracle on the severity of the vulnerability. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
For example, Oracle does not provide details on the nature of the vulnerability, the risks involved or how the companys patch fixes the problem, Kramer said.