Security Researchers Call for More Info from Oracle

While they say the company's move to monthly security patch rollouts is a good start, many stress that the database giant will need to iron out its communication process and provide more specifics.

Oracles first monthly rollout of patches threw security researchers into a tizzy Wednesday as they complained of a lack of information on which vulnerabilities had actually been fixed and what Oracle software components had been affected.

"Oracles a little tight-lipped on what theyve fixed and what they havent fixed, and they havent described in any detail at all what the security problems are," said Aaron Newman, database security expert, chief technology officer and co-founder of Application Security Inc. New York-based Application Security is a security software company that discovered about 20 of the vulnerabilities covered in the patch release, which researchers estimated covers 60 to 100 bugs and vulnerabilities.

"Oracle is making some good approaches, rolling out monthly patches to resolve these issues," said Noel Yuhanna, an analyst at Forrester Research Inc., in Santa Clara, Calif.

"But again, what issues are being resolved? Oracle needs to be clear on that and keep customers up to date on what issues exist and how they should overcome them with patches."

In addition, researchers noted that there are still outstanding vulnerabilities that await patching. "We still have a number of open ones with Oracle," said Stephen Kost, chief technology officer at Integrigy Corp., which found five to 10 of the vulnerabilities addressed.

"They didnt fix anything in the ERP [enterprise resource planning] suite." Oracle has known about some still-unfixed vulnerabilities for more than a year, according to multiple researchers, although none of the known vulnerabilities have resulted in any known exploits.

/zimages/5/28571.gifOracle was silent about these security flaws for far too long, Database Center Editor Lisa Vaas writes. Click here to read more.

Oracle Corp. declined to comment further than it did Tuesday when it released the patches.

But although more communication from the Redwood Shores, Calif., database company would be welcome, many say the accumulating swamp of security flaws is not indicative of a failure on Oracles part, but rather has to do with the increasing complexity of its products. "People come to it from a high-level perspective and say, Everything should be fixed in 90 days," said Integrigys Kost. "Thats not realistic. Oracle takes a long time on everything."

Furthermore, growing pains are to be expected as Oracle becomes more ubiquitous and as security researchers focus their attention on ferreting out flaws in its products. "Oracle in the past has been very responsive in delivering security patches," Yuhanna said.

"But there have been very few of them. Now that theres too many of them coming together [in clusters], its a challenge to Oracle," he said. "They need to streamline the process and make it effective within Oracle and make sure customers follow the right approach—and convey the right message that these patches get deployed as appropriate to the given environment."

Oracle products have long had a reputation of being secure and stable, of being supported by a DBA (database administrator) population with above-average skills, and of being protected behind firewalls at a higher rate than rival databases. Still, Yuhanna said, with the flood of new features that have been packed into the latest release, Database 10g, security problems were bound to arise.

"I feel that Oracle focused more on delivering more features and functionality in 10g rather than securing Oracle itself," he said. "They want to deliver more features and functionality, and security was not a top priority."

But any glitches associated with Oracles first monthly rollout are bound to be ironed out in coming releases, Yuhanna predicted. "They obviously promised to deliver these patches by the 31st, and theyve done it," he said. "Oracle hasnt been accustomed very much to security patches as other vendors have been, so the whole process of management is coming to light, and Oracles trying to refine the process and make sure they do a good job delivering the patches.

"Given that this is the first major rollout, I think, going forward, they will be more cautious about deploying newer versions and making sure theyre more secure, just like Microsoft [Corp.], which is now taking security more seriously than ever before," he said.

ASIs Newman said his company is telling clients to consider the recent patch a point update and to perform appropriate testing, since the patch fixes so many problems. "Theyll have to do more testing than they would normally for a security release," he said. "Its amazing how Oracle went from fixing one buffer overflow to 20 or 30 buffer overflows in the patch. I think they got swamped. A lot of people started looking at it and pulling back the covers and finding things."

The security patches are available on Oracle Technology Network and on Oracles support site, MetaLink, which requires registration.

/zimages/5/28571.gifCheck out eWEEK.coms Database Center at for the latest database news, reviews and analysis.


Be sure to add our database news feed to your RSS newsreader or My Yahoo page