Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database

    Security Researchers Call for More Info from Oracle

    Written by

    Lisa Vaas
    Published September 1, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Oracles first monthly rollout of patches threw security researchers into a tizzy Wednesday as they complained of a lack of information on which vulnerabilities had actually been fixed and what Oracle software components had been affected.

      “Oracles a little tight-lipped on what theyve fixed and what they havent fixed, and they havent described in any detail at all what the security problems are,” said Aaron Newman, database security expert, chief technology officer and co-founder of Application Security Inc. New York-based Application Security is a security software company that discovered about 20 of the vulnerabilities covered in the patch release, which researchers estimated covers 60 to 100 bugs and vulnerabilities.

      “Oracle is making some good approaches, rolling out monthly patches to resolve these issues,” said Noel Yuhanna, an analyst at Forrester Research Inc., in Santa Clara, Calif.

      “But again, what issues are being resolved? Oracle needs to be clear on that and keep customers up to date on what issues exist and how they should overcome them with patches.”

      In addition, researchers noted that there are still outstanding vulnerabilities that await patching. “We still have a number of open ones with Oracle,” said Stephen Kost, chief technology officer at Integrigy Corp., which found five to 10 of the vulnerabilities addressed.

      “They didnt fix anything in the ERP [enterprise resource planning] suite.” Oracle has known about some still-unfixed vulnerabilities for more than a year, according to multiple researchers, although none of the known vulnerabilities have resulted in any known exploits.

      /zimages/5/28571.gifOracle was silent about these security flaws for far too long, Database Center Editor Lisa Vaas writes. Click here to read more.

      Oracle Corp. declined to comment further than it did Tuesday when it released the patches.

      But although more communication from the Redwood Shores, Calif., database company would be welcome, many say the accumulating swamp of security flaws is not indicative of a failure on Oracles part, but rather has to do with the increasing complexity of its products. “People come to it from a high-level perspective and say, Everything should be fixed in 90 days,” said Integrigys Kost. “Thats not realistic. Oracle takes a long time on everything.”

      Furthermore, growing pains are to be expected as Oracle becomes more ubiquitous and as security researchers focus their attention on ferreting out flaws in its products. “Oracle in the past has been very responsive in delivering security patches,” Yuhanna said.

      “But there have been very few of them. Now that theres too many of them coming together [in clusters], its a challenge to Oracle,” he said. “They need to streamline the process and make it effective within Oracle and make sure customers follow the right approach—and convey the right message that these patches get deployed as appropriate to the given environment.”

      Oracle products have long had a reputation of being secure and stable, of being supported by a DBA (database administrator) population with above-average skills, and of being protected behind firewalls at a higher rate than rival databases. Still, Yuhanna said, with the flood of new features that have been packed into the latest release, Database 10g, security problems were bound to arise.

      “I feel that Oracle focused more on delivering more features and functionality in 10g rather than securing Oracle itself,” he said. “They want to deliver more features and functionality, and security was not a top priority.”

      But any glitches associated with Oracles first monthly rollout are bound to be ironed out in coming releases, Yuhanna predicted. “They obviously promised to deliver these patches by the 31st, and theyve done it,” he said. “Oracle hasnt been accustomed very much to security patches as other vendors have been, so the whole process of management is coming to light, and Oracles trying to refine the process and make sure they do a good job delivering the patches.

      “Given that this is the first major rollout, I think, going forward, they will be more cautious about deploying newer versions and making sure theyre more secure, just like Microsoft [Corp.], which is now taking security more seriously than ever before,” he said.

      ASIs Newman said his company is telling clients to consider the recent patch a point update and to perform appropriate testing, since the patch fixes so many problems. “Theyll have to do more testing than they would normally for a security release,” he said. “Its amazing how Oracle went from fixing one buffer overflow to 20 or 30 buffer overflows in the patch. I think they got swamped. A lot of people started looking at it and pulling back the covers and finding things.”

      The security patches are available on Oracle Technology Network and on Oracles support site, MetaLink, which requires registration.

      /zimages/5/28571.gifCheck out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.

      /zimages/5/77042.gif

      Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×