Close X
Log In
If you are not a member,
register now
Email
Password
Forgot Your Password?
New User? Register now
to gain member-only access to all of IT World Canada's premium content & community portals.
Log in for Full Access |
Log In
|
Subscribe Now!
Follow
IT World Canada
Knowledge Centres
Community
Publications
Events
Services
Media
Communications Infrastructure
•
Carriers and Cellular
•
Networking
•
Voice, Data, and IP
Security
•
Alerts, Patches and Fixes
•
Disaster Recovery
•
Hacking and Viruses
Enterprise Business Applications
•
Business Intelligence
•
Enterprise Resource Planning
•
Open Source and Linux
Enterprise Infrastructure
•
Data Centre
•
Servers and Mainframes
•
Virtualization
Government
•
Case Studies and Best Practices
•
Collaboration
•
Policy
Leadership
•
Budgeting / IT Alignment
•
Industry News
•
Issues for CIOs
Information Architecture
•
Data Warehousing
•
Databases
•
Messaging and Collaboration
Integrating IT
•
Development Environments
•
Middleware - Utilities
•
Project Management
Green IT
•
E-Waste and Recycling
•
Green thinking
IT Workplace
•
Careers and the Job Market
•
Consulting and Contracting
•
Human Resources Issues
•
Women in IT
Departmental and End User Computing
•
Future Technology
•
Help Desk and End-User Support
•
Mobile Applications
All IT World Blogs
Featured Blogs
•
All things Android
•
Career Corner
•
Enterprise Insights
•
Security
ComputerWorld Canada Blogs
•
Shane Schick's Computerworld
•
World Wide Webb
•
Blogosphere
•
Techbuzz
CIO Canada Blogs
•
CIO Canada
•
Candid CIO
NetworkWorld Canada Blogs
•
Network World
•
Industry Watch
Guest Blogs
•
Stuff IT Managers Like
•
CDN Varbose
•
Making IT Work
Wikis
•
IT job Descriptions
•
CWC In Conversation
Groups
•
Finance
CIO Canada
ComputerWorld Canada
Network World Canada
Computer Dealer News
Direction Informatique
IT Business.ca
Click Here to Subscribe Now!
ComputerWorld Canada Events
•
Computerworld Interactive
•
Computerworld IT Leadership Awards
•
Computerworld Technology Insights
Feature Events
•
Visability - Social Media
•
Technicity
Events for Government
•
GovSym Symposium
•
Lac Carling
Computer Dealer News Events
•
CDN Channel Elite Awards
•
CDN Top 100
•
Computer Golf
Events for CIOs
•
CIO Exchange
•
CIO Frankly Speaking Breakfasts
•
CIO Frankly Speaking @ Your Desk
More Information on
IT World Canada Events
IT World Canada Curated
Job and Career Resources
•
Canadian IT Jobs
•
IT Sales Jobs
•
Salary Calculator
•
Tech Learning Space
Knowledge Services
•
CDN ProFIT - Turnkey Marketing solutions
•
Visability
•
Knowledge Store
Subscribe Now- Register
Slide Shows
Videos
White Papers
Webinars
Hot Topics:
HP
•
DDOS attack
•
big data analytics
•
software developers
•
operating systems
•
Microsoft
•
databases
•
SAS
•
programming languages
•
Search
SHARE
Home
>>
Security
Oracle patching fewer database flaws, says researcher
By:
Jaikumar Vijayan
On:
20 Jan 2011
For:
ComputerWorld (US)
Researchers say increased emphasis on acquired products makes it harder for Oracle to stay on top of database flaws
Oracle Corp.'s ability to address
vulnerabilities
in its core database
technologies
may be hampered by the vast number of products the company now must manage, security experts say.
For example, the list of
Oracle's quarterly security updates
released Tuesday includes only six patches for security flaws in the company's flagship database products. The other
60 patches released
fix bugs in Oracle's Fusion middleware technologies, its supply chain and CRM software and products gained from its acquisition of Sun Microsystems early last year.
The small number of database patches doesn't necessarily mean that the Oracle
technology
is becoming more secure, said Alex Rothacker, director of security at Application Security Inc.'s Team Shatter vulnerability assessment group.
Rather, it likely shows that the company doesn't have the capacity to fix the full list of
Oracle database flaws
reported to it in a timely fashion, said Rothacker, whose team of researchers discovered three of the six database flaws addressed in this week's update.
Several other similar flaws have been reported to Oracle by AppSec, but have not been fixed yet, Rothacker said. In some cases, the unpatched vulnerabilities were reported to Oracle several months ago, he added.
"The number of database fixes from Oracle has really gone down," he said. "But that's not because of a lack of vulnerabilities to fix. They have apparently reassigned their priorities and are choosing not to fix all the database vulnerabilities that are reported to them. It appears that they are losing some of the DBMS focus and are getting spread too thin on other stuff."
Oracle did not respond to a request for comment on the reason for releasing six database patches.
The release of six database patches, compared to nine in the October, 2010, security update, continues a trend that began early last year after the acquisition of Sun, said Amichai Shulman, chief technology officer at database
security vendor
Imperva.
In all of 2010, Oracle issued patches for 32 database flaws, compared to 54 in 2009, 53 in 2008 and over 70 in 2007.
"There is some bottleneck in their vulnerability patching process that is preventing them from getting back to the pace of fixing [database flaws] that they had a few years ago," Shulman said. "Something about the incorporation of so many different products from so many different
vendors
, especially Sun, has caused some sort of a problem that doesn't allow them to fix more vulnerabilities each cycle."
According to Shulman, some security researchers who have submitted notice of several vulnerabilities to Oracle are waiting to hear back from the company. "I really would like to think that they are getting better with their product, but honestly, that's not it," he said.
Stephen Kost, chief technology officer at security vendor Integrigy, noted that IT managers must also deal with Oracle's continuing reluctance to release full details of the flaws it is patching. Unlike Microsoft and other vendors, which release detailed information on each flaw and their patches, Oracle simply releases patches and offers little data on the flaws.
"One piece of information that Oracle does not release is what should be tested when I apply the patch," Kost said. "What should I be testing from a functional perspective; what might I break? Right now I don't know,"
According to Kost, while most of the flaws in Oracle's core database may have been addressed in recent security updates, the number of flaws in ancillary technologies such as Oracle Database Vault and Oracle Audit Vault are not quickly patched. "Products that are supporting the Oracle database are the places where you find problems. That doesn't lessen the risk," but just moves it to another place, he said.
Sign up for our
Newsletters
Tags:
Oracle
Close X
Your Name:
Your E-mail:
Friend's Name:
Friend's E-mail:
Close X
|
Views:
1480 |
Rating:
(0 votes)
Rate this article on a scale of
1 to 5 stars,5 being the best.
Close X
Page
1
Quick Access
Video Conferencing
Cloud Computing Resource Centre
CIO Canada's Brainstorm Centre
CIO Canada Debate
Jaikumar Vijayan
is a contributor to the International Data Group (IDG) News Service, which publishes global technology stories from bureaus around the world to more than 300 publications in more than 60 countries.
Please enable JavaScript to view the
comments powered by Disqus.
blog comments powered by
Disqus
Related Videos
Building an Enterprise IT Security Training Program
Building an Enterprise IT Security Training Program
-
Over 50% of security breaches are a result of end-user error, oversight, and ignorance. IT security training is an effective method of reducing end-user related security breaches.
Cloud Computing: Extending the Network (3 of 3)
Cloud Computing: Extending the Network (3 of 3)
-
The end goals of private cloud computing are to; Enable efficient delivery of IT resources and services; Give the enterprise complete control over data; Enable choice in technologies and service providers
Cloud Computing: Getting to One Network (1 of 3)
Cloud Computing: Getting to One Network (1 of 3)
-
In this first video of the series, the team will take you through how to consolidate the different types of traffic onto a single, general-purpose, high-performance, highly available network that greatly simplifies the network infrastructure and redu
Cloud Computing: The Unified Compute Model (2 of 3)
Cloud Computing: The Unified Compute Model (2 of 3)
-
In this second video, the team will look at how to unite computing, networking, storage access, and virtualization into a single cohesive system. The Unified Compute model prepares you for cloud computing. This will be discussed in the next and fin
Professors warn of arms race in cyberspace
Professors warn of arms race in cyberspace
-
At a panel discussion organized by Osgoode Hall, professors Ronald Deibert and Stephane Leman-Langlois discussed the attacks on Google Inc. and the challenges of working in countries such as China.
more from the:
Video Library
Take Our Poll
Most Popular
Articles
Most Viewed
Most Emailed
Top Rated
Most Viewed
Most Emailed
Top Rated
Shaw wins Internet deal with city of Winnipeg
By: Howard Solomon (16 May 2012)
Shaw Communications has scored a big win in its campaign to extend its services to municipalities. The Calgary-based cableco won a bidding contest to ...
Open source Java moving to Linux, AIX on PowerPC
By: Paul Krill (11 May 2012)
SAN FRANCISCO -- Open source Java will be brought to the PowerPC architecture for Linux and IBM's AIX OS under a proposal floated lastweek that could ...
The cost of open data: A Canadian lawyer's analysis
By: Lou Milrad (14 May 2012)
We’ve started hearing a lot over the last year or so about “open data”, particularly in the municipal sector. It’s all ab ...
Rogers offers lure to M2M developers
By: Howard Solomon (11 May 2012)
Network operators are always looking for ways to expand the way organizations can use their networks beyond voice and data centre traffic. To encour ...
Canadian employee survey indicates dark view of cloud
By: Shane Schick (16 May 2012)
If Canadian enterprises are using cloud computing, their employees may be the last to know. A recent research bulletin from Toronto-based Pollara of ...
Cisco kills off Cius development
By: Paolo Del Nibletto (5/25/2012 11:56:00 AM)
In a surprise move, Cisco Systems Inc. has confirmed it will no longer invest in developing the Cius tablet device running Android.The Cius tablet was ...
Microsoft's new server and tool upgrades and CIOs
By: Juan Carlos Perez and Chris Kanaracus (5/25/2012 10:21:00 AM)
MIAMI -- CIOs and IT directors tracking the barrage of major upgrades for Windows and Office also need to stay tuned to the refresh cycle for Microsof ...
Microsoft clarifies tremendous Windows 8 claims
By: Gregg Keizer (5/25/2012 9:21:00 AM)
FRAMINGHAM, Mass. -- Reports earlier this week that Microsoft CEO Steve Ballmer predicted unprecedented sales of Windows 8 were wrong on multiple ...
How to make PHP apps scale
By: Andrew Oliver (5/25/2012 9:14:00 AM)
SAN FRANCISCO -- The power of PHP and an RDBMS is the ability to nail the major features of an application with cheaply paid developers in a reco ...
Funding rural broadband: Whatever it takes
By: Howard Solomon (5/25/2012 7:11:00 AM)
For rural communities looking to get ultra-fast broadband speeds increasingly seen in cities, there’s only one obstacle: Money. Getting it is ...
VIDEO: Why IT pros need 'soft skills'
By: Brian Bloom (23 May 2012)
Unemployment in the high-tech sector is low. But are IT pros getting the jobs they want? Stafflink CEO Tim Collins explains why having impressive ...
Open source Java moving to Linux, AIX on PowerPC
By: Paul Krill (11 May 2012)
SAN FRANCISCO -- Open source Java will be brought to the PowerPC architecture for Linux and IBM's AIX OS under a proposal floated lastweek that could ...
Why integrate Wi-Fi radios into small cellular cells
By: Ajay Kumar Gupta (15 May 2012)
FRAMINGHAM, Mass -- (Gupta is team lead at Wesley Clover Communications Solutions, which develops solutions from Canadian companies -- including Mitel ...
CEOs demand CIOs prepare for growth and mobility
By: Mark Chillingworth (15 May 2012)
CEOs have shifted their position and are releasing funds to CIOs that have innovations for mobile users and revenue generation ideas, finds the CIO Su ...
EMC mega-launch targets hybrid cloud, big data
By: Jeff Jedras (22 May 2012)
LAS VEGAS – With nearly 15,000 attendees making this its biggest user conference, IT infrastructure vendor EMC Corp. has made its largest ...
Related White Papers
Selecting a Managed Security Services Provider: The 10 most important criteria to consider
-
Managed security services providers (MSSP) are an effective way for organizations to gain access to expert security skills, tools and processes without significant investment in technology and resources. “Selecting a Managed Security Services Provider: the 10 most important criteria to consider” details what businesses should look at when selecting one.
The HP Storage Portfolio
-
Virtualization creates numerous challenges from increased complexity to new infrastructure pressures and security concerns; HP core storage solution can help build a foundation for virtual infrastructure to overcome IT practice and infrastructure challenges.
Dear Privacy Officer - the Nightmare Letter
-
Given the public's knowledge on the occurrence of privacy breaches brought about by reports in the media, and that in fact these may be underreported, companies should be prepared for Canadians exercising their right to inquire not only what an organization knows about them, but whether their personal information is at risk or has been exposed. Organizations would do well to be prepared for the receipt of the 'nightmare access letter' from an irate consumer who knows a little too much about privacy and information technology. This white paper provides an overview of the principles relating to safeguarding and access. In addition, it includes an example of an access letter, offered as a tool for C-level executives on the forefront of dealing with privacy breach fallout.
Securing end-user mobile devices in the enterprise
-
Mobile devices, such as smartphones and tablets, add new security risks for organizations to mitigate. Learn the approaches to mitigating them, as well as how to control access and design and implement a security policy that incorporates mobility.
7 best practices for staying secure in the cloud
-
When the network is handed over to cloud infrastructure providers, you are still accountable for security. Find out the 7 best practices for securing the cloud.
more:
White Papers
Close X