[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Researchers Say Oracle Leaves Databases Needlessly Vulnerable

To: isn@xxxxxxxxxxxxxxx
Subject: [ISN] Researchers Say Oracle Leaves Databases Needlessly Vulnerable
From: InfoSec News <alerts@xxxxxxxxxxxxxxx>
Date: Thu, 1 Dec 2011 02:33:48 -0600 (CST)
List-archive: <http://infosecnews.org/pipermail/isn>
List-help: <mailto:isn-request@infosecnews.org?subject=help>
List-id: InfoSec News <isn.infosecnews.org>
List-post: <mailto:isn@infosecnews.org>
List-subscribe: <http://infosecnews.org/mailman/listinfo/isn>, <mailto:isn-request@infosecnews.org?subject=subscribe>
List-unsubscribe: <http://infosecnews.org/mailman/options/isn>, <mailto:isn-request@infosecnews.org?subject=unsubscribe>
Sender: isn-bounces@xxxxxxxxxxxxxxx
User-agent: Alpine 2.02 (DEB 1266 2009-07-14)

http://www.darkreading.com/database-security/167901020/security/news/232200517/researchers-say-oracle-leaves-databases-needlessly-vulnerable.html

By Ericka Chickowski
Contributing Editor
Dark Reading
Nov 30, 2011

Is Oracle just paying lip service to database security? Some researcherswithin the database community think so, complaining that as the softwarejuggernaut has grown with acquisitions such as the blockbuster Sun dealit hasn't maintained enough resources to securely develop databaseproducts and resolve vulnerabilities disclosed by researchers in atimely fashion.

"I would say easy fixes get done pretty quickly, within three to sixmonths, but things that are harder and need some changes in architectureor have an impact on customers where customers have to make some changesto their products, to their software that uses the databases, thosethings don't get done in the CPU," says Alex Rothacker, manager ofApplication Security Inc.'s research arm, TeamSHATTER. "We have avulnerability disclosed where basically we can brute force any userspassword and we reported this two years ago and they haven't fixed ityet."

It's a complaint lodged by many researchers, who say that even as Oraclepublicly states it wants to work with the research community to fixdatabase issues, it isn't putting its shoulder into the effort. Thenumbers show that over the past several years, the proportion ofquarterly critical patch updates for Oracle database products hasdiminished considerably over the last two years.

While some might come to the conclusion that there are fewer updatesbecause Oracle's products are getting more secure, researchers say thistrend has occurred simultaneously as the window between disclosure ofvulnerabilities and patch releases for them has grown wider.


[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn

Prev by Date: [ISN] Duqu hackers scrub evidence from command servers, shut down spying op
Next by Date: [ISN] GCHQ aims to recruit computer hackers with code-cracking ad
Previous by thread: [ISN] Duqu hackers scrub evidence from command servers, shut down spying op
Next by thread: [ISN] GCHQ aims to recruit computer hackers with code-cracking ad
Index(es):
- Date
- Thread