Oracle on Tuesday released its now-quarterly patch update, plugging vulnerabilities in 16 different products and applications, including the first patches for PeopleSoft applications since it completed the purchase of the company on Jan. 7, 2005.
Security experts see database vulnerabilities as an emerging threat that attackers, enterprises and database vendors like the Redwood Shores, Calif. database giant Oracle Corp. are all beginning to recognize.
“I would argue that databases are becoming much more understood by attackers, and they are significantly more valuable to the criminal element,” said Jose Nazario, a security researcher for Arbor Networks Inc. in Lexington, Mass.
“Databases are the basis for compliance, and that makes this unique,” said Ted Julian, vice president of marketing for Application Security Inc. “Its where the crown jewels are stored, so its added an urgency that other parts of the business didnt see.”
The most recent patches from Oracle address security vulnerabilities found in Oracle Database 10g, several versions of Oracles database servers and application servers, Oracle Collaboration Suite, E-Business Suite and Enterprise Manager.
In addition, Oracle created six patches for PeopleSoft EnterpriseOne Applications and a single patch for OneWorldXe/ERP8 Applications. For all products except E-Business Suite, the patches contain fixes from previous updates.
The vulnerabilities are rated in a “Risk Matrix,” which ranks the impact of each vulnerability on “confidentiality, integrity and availability,” as well as how difficult Oracle expects the patch to be to complete.
“Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage,” Oracle wrote in an accompanying policy statement. Its an ongoing debate in the security community as to whether the level of detail provided by Oracle and other application developers is appropriate. Oracle states that it doesnt provide “specifics of vulnerabilities beyond what is provided in the Critical Patch Update.”
“Its my opinion that that vagueness may actually work to their advantage,” said Shane Coursen, senior technology consultant for Kaspersky Lab Inc., a security firm in Woburn, Mass. “When a security vulnerability is discussed at length, I dont think for a second bad guys arent learning from those discussions.”
Coursen does believe, however, that Oracle is still learning what is appropriate and developing its patch processes on the fly, as its only the companys second official quarterly “patch day.”
“Oracle may not yet be fully in the mode of having to provide update patches,” said Coursen. “Just as it was with Microsoft, Oracle is going through a learning process. With a few more iterations of quarterly updates, and with good communication between their developers and their customer base, we should see an update process more and more refined.”
Julian at Application Security Inc. in New York agreed. “People are discovering more vulnerabilities and forcing Oracle to do a more thorough and regular job to patch these vulnerabilities,” he said. “Its a cumbersome process, but at the same time, the stakes couldnt be higher.”
The security firms also believe the move to scheduled patch day is a blessing for enterprise security teams.
“Its clear to us that enterprises are pleased with the schedule,” said Julian. “It makes it feasible for them to create a process for deploying their security. Without it, its almost an untenable situation.”
The next round of patches is scheduled for July 12, followed by a Q4 release on October 18.