"Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur," Gartners Rich Mogull wrote.
Oracle administrators have traditionally relied on their servers being well tucked behind firewalls, in addition to Oracles good record on strong security, and have thus oftentimes been slow to patch.
"Oracle databases have traditionally been located fairly deep within the enterprise," Mogull said in an interview with eWEEK. "People are now used to, when a CPU [Critical Patch Update] comes out, to wait days to patch. With Oracle, they tend to wait longer. These systems run well, these systems dont have downtime issues, so administrators wait a bit of time before installing patches. … Its fairly well-understood in the industry they dont patch as frequently" as users of other vendors software, he said.
Beyond that, Mogull said, patching is sometimes impossible, given lack of support for legacy Oracle versions. "Oracle doesnt support products quite as long as some other vendors out there," he said.
Hence, "many, many" clients are locked into older Oracle versions, since they rely on third-party applications that run on those older systems, he said.
Regardless, the current laid-back attitude toward patching is unacceptable, Mogull said. "Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet," he wrote in the advisory.
"At least on administrators side, its time to update their management practices a bit, to better prepare" for testing and patching, he said.
This need for more nimble patching shouldnt be too onerous, given Oracles switch to a quarterly patch release, Mogull said—a circumstance that puts patching on a predictable, regular schedule.