Close X
Log In
If you are not a member,
register now
Email
Password
Forgot Your Password?
New User? Register now
to gain member-only access to all of IT World Canada's premium content & community portals.
Log in for Full Access |
Log In
|
Subscribe Now!
Follow
IT World Canada
Knowledge Centres
Community
Publications
Events
Services
Media
Communications Infrastructure
•
Carriers and Cellular
•
Networking
•
Voice, Data, and IP
Security
•
Alerts, Patches and Fixes
•
Disaster Recovery
•
Hacking and Viruses
Enterprise Business Applications
•
Business Intelligence
•
Enterprise Resource Planning
•
Open Source and Linux
Enterprise Infrastructure
•
Data Centre
•
Servers and Mainframes
•
Virtualization
Government
•
Case Studies and Best Practices
•
Collaboration
•
Policy
Leadership
•
Budgeting / IT Alignment
•
Industry News
•
Issues for CIOs
Information Architecture
•
Data Warehousing
•
Databases
•
Messaging and Collaboration
Integrating IT
•
Development Environments
•
Middleware - Utilities
•
Project Management
Green IT
•
E-Waste and Recycling
•
Green thinking
IT Workplace
•
Careers and the Job Market
•
Consulting and Contracting
•
Human Resources Issues
•
Women in IT
Departmental and End User Computing
•
Future Technology
•
Help Desk and End-User Support
•
Mobile Applications
Featured Blogs
•
All things Android
•
Enterprise Insights
•
Network World
•
Industry Watch
•
CDN Varbose
Computing Canada Blogs
•
World Wide Webb
•
Blogosphere
•
Techbuzz
Wikis
•
IT job Descriptions
Most Recent
All IT World Blogs
Click Here to Subscribe Now!
Job and Career Resources
•
Canadian IT Jobs
•
IT Sales Jobs
•
Salary Calculator
Knowledge Services
•
CDN ProFIT - Turnkey Marketing solutions
•
Visability
Subscribe Now- Register
Content
•
Slide Shows
•
Videos
•
White Papers
•
Webinars
Social
Facebook:
facebook.com/ITWorldCa
Twitter:
@itworldca
Linkedin:
IT World Canada Live
YouTube:
ITWorldCanada
More
brands and Accounts
Digital Media
•
Media Guide
•
Digital Publications Media Guide
•
Latest Digital Editions
Hot Topics:
mobile technology
•
MDM
•
bring your own device
•
smart phones
•
Telus
•
Open Data
•
malware
•
Cisco
•
HP
•
BYOD
•
job market
•
Search
SHARE
Home
>>
Security
Oracle patching fewer database flaws, says researcher
By:
Jaikumar Vijayan
On:
20 Jan 2011
For:
ComputerWorld (US)
Tweet
Researchers say increased emphasis on acquired products makes it harder for Oracle to stay on top of database flaws
Oracle Corp.'s ability to address
vulnerabilities
in its core database
technologies
may be hampered by the vast number of products the company now must manage, security experts say.
For example, the list of
Oracle's quarterly security updates
released Tuesday includes only six patches for security flaws in the company's flagship database products. The other
60 patches released
fix bugs in Oracle's Fusion middleware technologies, its supply chain and CRM software and products gained from its acquisition of Sun Microsystems early last year.
The small number of database patches doesn't necessarily mean that the Oracle
technology
is becoming more secure, said Alex Rothacker, director of security at Application Security Inc.'s Team Shatter vulnerability assessment group.
Rather, it likely shows that the company doesn't have the capacity to fix the full list of
Oracle database flaws
reported to it in a timely fashion, said Rothacker, whose team of researchers discovered three of the six database flaws addressed in this week's update.
Several other similar flaws have been reported to Oracle by AppSec, but have not been fixed yet, Rothacker said. In some cases, the unpatched vulnerabilities were reported to Oracle several months ago, he added.
"The number of database fixes from Oracle has really gone down," he said. "But that's not because of a lack of vulnerabilities to fix. They have apparently reassigned their priorities and are choosing not to fix all the database vulnerabilities that are reported to them. It appears that they are losing some of the DBMS focus and are getting spread too thin on other stuff."
Oracle did not respond to a request for comment on the reason for releasing six database patches.
The release of six database patches, compared to nine in the October, 2010, security update, continues a trend that began early last year after the acquisition of Sun, said Amichai Shulman, chief technology officer at database
security vendor
Imperva.
In all of 2010, Oracle issued patches for 32 database flaws, compared to 54 in 2009, 53 in 2008 and over 70 in 2007.
"There is some bottleneck in their vulnerability patching process that is preventing them from getting back to the pace of fixing [database flaws] that they had a few years ago," Shulman said. "Something about the incorporation of so many different products from so many different
vendors
, especially Sun, has caused some sort of a problem that doesn't allow them to fix more vulnerabilities each cycle."
According to Shulman, some security researchers who have submitted notice of several vulnerabilities to Oracle are waiting to hear back from the company. "I really would like to think that they are getting better with their product, but honestly, that's not it," he said.
Stephen Kost, chief technology officer at security vendor Integrigy, noted that IT managers must also deal with Oracle's continuing reluctance to release full details of the flaws it is patching. Unlike Microsoft and other vendors, which release detailed information on each flaw and their patches, Oracle simply releases patches and offers little data on the flaws.
"One piece of information that Oracle does not release is what should be tested when I apply the patch," Kost said. "What should I be testing from a functional perspective; what might I break? Right now I don't know,"
According to Kost, while most of the flaws in Oracle's core database may have been addressed in recent security updates, the number of flaws in ancillary technologies such as Oracle Database Vault and Oracle Audit Vault are not quickly patched. "Products that are supporting the Oracle database are the places where you find problems. That doesn't lessen the risk," but just moves it to another place, he said.
Sign up for our
Newsletters
Tags:
Oracle
Tweet
Close X
Your Name:
Your E-mail:
Friend's Name:
Friend's E-mail:
Close X
|
Views:
1823 |
Rating:
(0 votes)
Rate this article on a scale of
1 to 5 stars,5 being the best.
Close X
Page
1
Quick Access
Video Conferencing
Cloud Computing Resource Centre
CIO Canada's Brainstorm Centre
CIO Canada Debate
IdeaCity Conference June 18-20 - Toronto
Jaikumar Vijayan
is a contributor to the International Data Group (IDG) News Service, which publishes global technology stories from bureaus around the world to more than 300 publications in more than 60 countries.
Recent Canadian IT Jobs
more:
IT Jobs
,
Post A Job
Please enable JavaScript to view the
comments powered by Disqus.
blog comments powered by
Disqus
Related Videos
Building an Enterprise IT Security Training Program
Building an Enterprise IT Security Training Program
-
Over 50% of security breaches are a result of end-user error, oversight, and ignorance. IT security training is an effective method of reducing end-user related security breaches.
Cloud Computing: Extending the Network (3 of 3)
Cloud Computing: Extending the Network (3 of 3)
-
The end goals of private cloud computing are to; Enable efficient delivery of IT resources and services; Give the enterprise complete control over data; Enable choice in technologies and service providers
Cloud Computing: Getting to One Network (1 of 3)
Cloud Computing: Getting to One Network (1 of 3)
-
In this first video of the series, the team will take you through how to consolidate the different types of traffic onto a single, general-purpose, high-performance, highly available network that greatly simplifies the network infrastructure and redu
Cloud Computing: The Unified Compute Model (2 of 3)
Cloud Computing: The Unified Compute Model (2 of 3)
-
In this second video, the team will look at how to unite computing, networking, storage access, and virtualization into a single cohesive system. The Unified Compute model prepares you for cloud computing. This will be discussed in the next and fin
Professors warn of arms race in cyberspace
Professors warn of arms race in cyberspace
-
At a panel discussion organized by Osgoode Hall, professors Ronald Deibert and Stephane Leman-Langlois discussed the attacks on Google Inc. and the challenges of working in countries such as China.
more from the:
Video Library
Computing Canada Poll
What topic would you like to see covered in the next issue?
Read the Computing Canada articles you made happen.
•
Democratizing Business Continuity
•
Agility and efficiency through virtual switching
* Sponsored by Microsoft
Most Popular
Articles
Most Viewed
Most Emailed
Top Rated
Most Viewed
Most Emailed
Top Rated
BlackBerry is on a roll
By: Howard Solomon (14 May 2013)
ORLANDO – Research In Motion officially opens its annual BlackBerry conference here today on a roll with the launch of a new keyboard-equipped s ...
Dell board wants more details on Icahn bid
By: Nestor E. Arellano (13 May 2013)
Dell Inc.’s board of directors wants more information on investor Car Icahn and Southeastern Asset Management’s $21 billion cash offer for ...
Adobe’s subscription-only plan meets backlash
By: Nestor E. Arellano (10 May 2013)
Thousands of users of Adobe Systems Inc.’s software are taking to the Internet their displeasure over the company’s decision to adopt a su ...
Canadian health care lags in mobile adoption: IDC
By: Nestor E. Arellano (09 May 2013)
The prevalence of mobile technology is being felt in most in many industries but its adoption is lagging in health care where its implementation are l ...
Fairmont Raffles uses analytics to boost profits
By: Jeff Jedras (10 May 2013)
SAN FRANCISCO – As Fairmont Raffles’ executive director of customer relationship marketing, Andrea Johnson is helping to lead the charge a ...
Edmonton agrees to expand Shaw Wi-Fi network
By: Howard Solomon (5/23/2013 3:43:00 PM)
Edmonton’s city council has agreed to allow Shaw Communication’s Wi-Fi network to expand to public areas across the city. The planned ex ...
Why Washington's lead on open data is worth following
By: Howard Solomon (5/23/2013 3:14:00 PM)
The open data movement is gaining acceleration in a number of governments around the world, including Washington where President Barack Obama earlier ...
Debtholders okay Telus offer to buy Mobilicity
By: Howard Solomon (5/23/2013 12:54:00 PM)
Debtholders of financially troubled wireless carrier Mobilicity have approved the proposed sale to Telus Corp., putting more pressure on the federal g ...
HP profit down again, but results beat estimates
By: Dave Webb (5/23/2013 10:25:00 AM)
Hewlett-Packard CEO Meg Whitman told financial analysts on a conference call that "you can feel the turnaround taking hold" at the struggling tec ...
Time to beef up federal privacy law, says Stoddart
By: Howard Solomon (5/23/2013 10:36:00 AM)
Canada’s federal privacy law is only 12 years old but it needs to be overhauled, says the country’s privacy commissioner. “As organ ...
Think internationally, Kobo CEO says
By: Dave Webb (16 May 2013)
It's important for Canadian digital media companies to think big -- think internationally -- right out of the box, Michael Serbinis, co-founder of Can ...
BlackBerry is on a roll
By: Howard Solomon (14 May 2013)
ORLANDO – Research In Motion officially opens its annual BlackBerry conference here today on a roll with the launch of a new keyboard-equipped s ...
No fee for Windows Blue update: Analysts
By: Nestor E. Arellano (13 May 2013)
Microsoft Corp. will likely not charge Windows 8 users for the operating system's upgrade codenamed “Blue,” according to technology indust ...
Pirate Bay co-founder to run for EU parliament
By: Nestor E. Arellano (15 May 2013)
Peter Sunde, co-founder of the file sharing site Pirate Bay, says he plans to run for the European Parliament in 2014 under the banner of the Finnish ...
Ottawa nurses cut out middle man with UC system
By: Nestor E. Arellano (09 May 2013)
The University of Ottawa Heart Institute (UOHI) has been able to significantly shorten the time it takes for its nurses to receive call backs from doc ...
Related White Papers
Getting a better grip on mobile devices
-
IBM Software provides solutions and strategies for managing both employee-owned and enterprise-owned equipment.
2012 Bit9 Cyber Security Research Report
-
The 2012 Bit9 Cyber Security Research Report presents the perspectives of more than 1,800 IT professionals on the world of advanced cyber threats.
Realistic Security, Realistically Deployed: Today's Application Control and Whitelisting
-
With today's sophisticated and constant barrage of cyber-threats defenses focused on a blacklist "permit-all-except" philosophy are doomed to fail. Modern security requires an application control and whitelisting approach.
Advanced Threat Landscape: What Organizations Need to Know
-
Combating today's cyber-threats requires an approach based on trust, not the blacklisting security strategies of the past.
IFCG Addresses Privacy and Data Security in a Regulated Industry Through a Managed Security Services Provider
-
IFCG turned to No Panic Computing (NPC) to provide security-hardened laptops, monitored and managed 24/7, boasting biometric access, encrypted hard drives, sophisticated anti-virus monitoring and an OS optimized for performance and data protection.
more:
White Papers
Close X