Oracle Patches 51, Updates Vulnerability-Scoring System

Oracle's October Critical Patch Update (CPU) addresses 51 vulnerabilities spread across the company's product portfolio, a marked improvement over last October's update. The quarterly release also introduces an update to the system it uses to score the severity of vulnerabilities.

Oracle's namesake database products, which have 27 disclosed vulnerabilities, get the majority of the 51 fixes. According to Oracle's advisory, seven of the database vulnerabilities may be remotely exploitable without authentication.

Oracle Application Server gets 11 fixes, seven of which are remotely exploitable without authentication. There are eight security fixes for the Oracle E-Business Suite and one is remotely exploitable without authentication. Oracle Collaboration Suite gets seven fixes. Oracle PeopleSoft Enterprise PeopleTools gets two security fixes, and one new security fix for PeopleSoft Enterprise Human Capital Management.

The 51 flaws addressed in this month's update continue the decrease in reported vulnerabilities, which numbered 65 in the July update and are considerably fewer than the 100 the company fixed last October. That update also marked the first time that Oracle revealed how many flaws were remotely exploitable without authentication. The remote exploit flaws are among the most dangerous in that they are more accessible and hence more easily exploited than local flaws, which first require local access as well as some form of authentication.

This year's update also includes version 2 of the Common Vulnerability Scoring System (CVSS), which provides a benchmarking base metric system in order to score the relative severity of a reported vulnerability. The company adopted the system last year to expand its security information disclosure method.

"It is worthwhile to reiterate again that CVSS provides a standard-based approach for assessing the criticality of vulnerabilities," Eric Maurice, manager for security in Oracle's global technology business unit, wrote on Oracle's security blog.

"In other words, CVSS assists customers to understand the significance of a given vulnerability in their environment, and assess the priority that should be given to patching that specific vulnerability against production requirements."

With CVSS 2.0, he continued, a number of changes have been introduced that make the standard more representative of real-world vulnerabilities.

But while the new version of CVSS has more parameters, Amichai Shulman, CTO of application data security company Imperva, said that the scores have remained the same.

"Based on our analysis, we recommend that security officers take a close look at the details composing the risk score rather than accepting the score itself," Shulman wrote in an e-mail sent to InternetNews.com.

"For example, the highest-ranked vulnerability is only 6.5 out of 10, yet it is easy to exploit remotely and allows the attacker to take complete control of the database. This is a serious vulnerability, but its score does not reflect that fact."

Regardless of how Oracle actually measures the severity of the vulnerabilities, the imperative for Oracle users is to update and do so quickly.

"Oracle users should understand that the period after a CPU has been issued is ironically more risky than the period before the CPU is published, as it gives black hats who may not have known about certain vulnerabilities directions where to look for them," Slavik Markovich, CTO of database security vendor Sentrigo, wrote in an e-mail sent to InternetNews.com.

"Based on the severity level of the vulnerabilities patched in this CPU, users should be sure to take the steps necessary to protect their organizations' data by heeding the advice of Oracle with regard to patch specifications and procedures."

Author: Sean Micheal Kerner @ internetnews.com

Read more ...

It's Confirmed: Wookey Out at Oracle

Oracle's executive shuffling leaves many questions regarding the future of the company's Fusion platform. As has been rumored for days, Oracle is replacing the leadership of its application development platform.

Rumblings Oct. 12 that John Wookey, the company's head of application development for Fusion Applications—the project much vaunted at Oracle—is out, have been confirmed in media reports. Thomas Kurian, senior vice president responsible for Oracle's Fusion Middleware, will take his place.

The executive shuffling of the deck around Fusion leads to some big questions around Oracle's Fusion Applications plans, including whether Fusion Applications will be delayed beyond 2008, and whether Oracle is experiencing development problems in trying to bring together "the best of" functionality from at least four major suites of applications: Oracle E-Business Suite, PeopleSoft, JD Edwards and Siebel Systems.

The analyst community has long been split on Oracle's momentum with Fusion Applications.
ZDNet blogger Dennis Howlett, who runs the Enterprise Irregular community, sourced an internal letter from Oracle CEO Larry Ellison on his blog that detailed the company's moves. The Wall Street Journal later confirmed the departures, quoting sources close to the company.

Oracle officials were not available for comment at press time.

As it stands, Wookey, senior vice president of applications development, is leaving Oracle. Sources close to the company suggested the week of Oct. 8 that Wookey, in a heated argument with Ellison, had already left the company and Oracle was trying to woo him back, though the circumstances around Wookey's departure have not been confirmed.

Fusion Middleware is the underlying platform for Fusion Applications.
The changes come just days after Oracle announced Oct. 12 its intent to acquire BEA Systems for $6.6 billion. BEA, which develops middleware, rebuffed Oracle's overtures, saying the offer undervalued the company. Oracle responded that it would not raise its offer price, despite analyst speculation that it would. The deal, as of Oct. 16, is in limbo, though likely not by any means dead.

The deal for BEA, of San Jose, Calif., led to more questions surrounding Oracle's plans with Fusion—both its middleware platform and applications stack.

As part of the changes with Wookey's departure, Ed Abbo, who had reported to Wookey, will now head application development outside of Fusion—in other words, the continuing development of applications that Oracle, of Redwood Shores, Calif., has acquired, including PeopleSoft and JD Edwards. Through its Applications Unlimited program, Oracle vowed to support those applications forever.

Both Kurian and Abbo will report to Chuck Rozwat, executive vice president at Oracle who will take over responsibility for all product development, according to media reports.

The rumors of Wookey's departure came amidst claims that Oracle would announce at its annual OpenWorld conference in November that Fusion Applications would be delayed through 2009. When Oracle acquired PeopleSoft in 2005, it announced Fusion Applications would be ready sometime in 2008. In January 2006, Oracle officials held a press conference to report that Wookey's teams were "halfway there" with Fusion Applications development.

When asked to comment on the rumors that Wookey was indeed leaving Oracle, Enterprise Applications Consulting principal Joshua Greenbaum (and Enterprise Irregulars blogger) said in an Oct. 12 interview that he would be "shocked" if Wookey were indeed leaving Oracle.

"If I was Oracle and I thought things were in trouble regarding a 2008 release of Fusion, I wouldn't throw in the towel now and act as if it couldn't happen. I would be throwing resources and people at it," said Greenbaum. "It's a little premature to throw in the towel" on Fusion Applications.

Author: Renee Boucher Ferguson @ eWeek.com

Read more ...

Why Oracle's Tops in Takeovers

It appears it's now just a matter of when -- not if -- Oracle will complete its $6.7 billion takeover of embattled middleware software provider BEA Systems.

Despite the drama of hastily exchanged letters and rebuttals on Friday between the companies' executives, most financial and software industry analysts expect the deal to become official sooner, rather than later.

That's because Oracle -- thanks to a couple of painful, but educational, missteps along the way -- has become an expert at acquiring companies, whether they like it or not.

For now, BEA's management team and most of its shareholders believe -- or at least want Oracle to believe -- the company is still very much in play. However, Oracle's $17-a-share offer, which represents a solid 25 percent premium over BEA's closing price of $13.62 a share before the takeover bid became public, remains the only offer on the table.

SAP, which is surely loath to let Oracle snap up yet another prominent software company, is out. IBM and HP remain mum. EMC or any other long-shot candidate has yet to materialize.

This is no accident and reflects just how serious and seasoned Oracle has become in its quest to unseat SAP as the world's largest vendor of business applications in the enterprise.

Oracle had been pursuing BEA, on and off, for the better part of two years. That CEO Larry Ellison and President Charles Phillips made their intentions known less than a week after SAP said it would pay $6.8 billion to acquire Business Objects comes as even less of a surprise.

Assuming SAP would be likely to pass on a protracted, expensive bidding war so soon after making a massive purchase of its own, Oracle felt confident it could make an aggressive move without SAP's interference.

But the timing of Oracle's move was just one of several new tactics Ellison and company employed this time.

Unlike events leading to the bitter, protracted and largely unsatisfactory resolution to its hostile takeover of PeopleSoft in late 2004, Oracle approached BEA with what most consider a very generous offer. That's a marked difference from the low-balling it tried to do some three years ago in the PeopleSoft coup.

Also, by timing its move on BEA shortly after SAP's uncharacteristically bold purchase of Business Objects, Oracle demonstrated a further willingness to learn from the past. This time, it dodged what might have become another lengthy and expensive bidding war with its German rival, a process Oracle had already endured years earlier, when it sparred over retail software specialist Retek.

"Oracle has learned a great lesson from the PeopleSoft deal and other deals," Yefim Natis, a vice president and distinguished analyst at Gartner, said in an interview with InternetNews.com. "Nothing like that is happening this time. Oracle now has the vision and aggressive attitude it needs to execute this kind of deal."

Oracle learned further lessons from those turbulent acquisitions. In the PeopleSoft takeover, Oracle initially offered $16 a share to acquire what had been its most bitter rival for the better part of a decade. Two weeks later, it attempted to thwart resistance to the deal by upping the offer to $19 a share. Then, $24 a share.

Eighteen months and a lot of hard feelings later, Oracle finally wrapped up the deal at $26.50 a share, shelling out more than $10.3 billion.

That lengthy, contentious process not only cost Oracle more money upfront, but also cost it dearly in the following months and years. Industry watchers said that in the wake of the sale to Oracle, many of PeopleSoft's enterprise customers stopped doing business with the company, while its key sales reps and managers were giving less-than-stellar efforts on their way out the door.

In the Retek deal, Oracle initially countered SAP's $496 million offer with its own $525 million bid, or $9 per share. SAP went to $11 a share before Oracle prevailed at $11.25 a share.

"With PeopleSoft, Oracle learned that you don't kill the revenue stream to make the deal," Ian Finley, an analyst at AMR Research, said in an interview with InternetNews.com. "You could also say they learned that you don't get into a bidding war with SAP if you can avoid it."

"Today, Oracle is a much smarter acquirer of these large competitive products," he said. "Also, Oracle has become much better at maintaining multiple products that aren't necessarily compatible and merging them over time. You couldn't say the same about the PeopleSoft merger."

For now, BEA shares are still trading well above Oracle's $17-a-share offer. On Monday, the stock closed off 38 cents, or 2 percent, to $18.44 a share. BEA executives continue to insist the company is "worth substantially more to Oracle, to others and, importantly, to BEA shareholders."

Not so, says one industry watcher.

"Oracle came in with a higher-than-normal bid to give BEA a fair shake," Peter Goldmacher, an analyst at Cowen & Co., said in an interview with InternetNews.com. "I'm shocked that BEA is behaving like this is an undervalued asset. This was a $10 stock three months ago. They should consider themselves lucky to get $17 a share."

Author: Larry Barrett @ internetnews.com

Read more ...