[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Many Oracle Users Don't Apply Security Patches


By Charles Babcock
January 14, 2008

Oracle (NSDQ: ORCL) on Tuesday is scheduled to issue 21 patches for its 
database, applications, and related products, a move that reflects a 
four-year old patching process. But a software executive who's been 
visiting Oracle user groups says only a third of Oracle database 
administrators adopt the patches.

Slavik Markovich, chief technology officer of Sentrigo, a database 
security firm, said he's been making presentations at Oracle Users 
Groups around the U.S. since August, and at each one he asks for a show 
of hands on how many attendees have adopted one of the two most recent 
Oracle Critical Patch Updates. He also asks how many have adopted at 
least one update since Oracle started issuing them.

Starting with the Capital Area Oracle User Group in Reston, Va., the 
answers that he's gotten have surprised him. At that meeting last 
August, two out of 40 attendees said they had installed one of the two 
latest patches; 15 said they had installed at least one patch in the 
four years of the program. That left 62.5% who had not installed any 
patches since the program began in November 2004.

After visiting Oracle user groups in South Florida, Chicago, Salt Lake 
City, Buffalo, Los Angeles, and nine other locations, including Reston, 
he had polled 305 attendees, with a Sentrigo staff member recording the 
results, and they remained much the same as at that first meeting. Only 
10% had applied the most recent patches; 67.5% said they had never 
applied one.

"That leaves many databases vulnerable to what are now publicly known 
vulnerabilities," he said in an interview from Sentrigo's research and 
development unit in Kfar Saba, Israel, outside Tel Aviv. Markovich was a 
database consultant hired to develop a protective layer for Sony 
Computers Entertainment America when he realized many companies must 
have the same security concerns as Sony. He founded Sentrigo to develop 
the Sony spot solution into a general product, Sentrigo Hedgehog.

Markovich said it's ironic that Oracle, in trying to address security 
concerns about its applications and database system, is also putting 
good information into the hands of malware makers and script kiddie-type 
intruders. At hacking sites, scripts appear shortly after an Oracle 
Critical Patch Update that illustrate how to exploit the 

"As soon as a [Critical Patch Update] is published, you can see hacker 
sites filled with scripts that take advantage of the listed exposures," 
he said.

It's an old dilemma for software makers whether to draw attention to 
exposures and methods of attack. Oracle issues only patches, not a 
description of the part of the database or application or application 
server that they are meant to fix. But Markovich says the patches betray 
the vulnerabilities and experimentation illustrates how to exploit them.

He urges database administrators to adopt the portion of the patches 
that apply to them and consider an additional layer of protection, such 
as Hedgehog, if possible. If they can't do all the testing needed to 
apply the patches, then Hedgehog is a way to apply "a virtualized 
patch," or a protective layer outside the database that can prevent most 

Subscribe to InfoSec News