Oracle admins ignoring patches, claim researchers

Oracle issues dozens of security patches every quarter, but that doesn't mean database administrators are implementing them.

In fact, a good two-thirds of all Oracle DBAs appear not to be installing Oracle's security patches at all, no matter how critical the vulnerabilities may be, according to survey results from Sentrigo, a Massachusetts-based vendor of database security products.

The results are "surprising, and to be candid, quite frightening," said Mike Rothman, president of consulting firm Security Incite in Atlanta.

Sentrigo polled 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008. The company basically asked the administrators two questions: whether they had installed the latest Oracle patches, and whether they had ever installed any of Oracle's security updates.

The results, which come even as Oracle is scheduled to release its next batch of quarterly Critical Patch Updates Tuesday, showed that 206 out of the 305 surveyed said they had never applied any Oracle CPUs. Just 31 said they had installed the most recent security update from the company. In total, only one-third said they had ever installed an Oracle CPU.

In an emailed statement, Oracle said the company "encourages organisations [to] apply Critical Patch Updates in a timely fashion to maintain their security posture."

"Critical Patch Updates for the Oracle Database are cumulative for the patch set to which they apply, making it easier for customers to keep their systems current with the latest security patch updates," the company said.

The results support what Sentrigo has been hearing anecdotally for sometime, said Slavik Markovich, chief technology officer at Sentrigo. "Some database administrators don't even monitor for Oracle's CPUs. They don't even know when the CPUs come out," he said. "Sometimes, even if their security department tells them to deploy it, they just ignore it," he said.

There are two major reasons for the trend, Markovich said. The first and most important is that most DBAs fear the consequences of installing a patch on a running database, he said.

"To apply the CPU, you need to change the binaries of the database," he said. "You change the database behaviour in some ways that may affect application performance," he said. So applying security patches to a database typically involves testing them against the applications that feed off the database, he said.

"This is a very long and very hard process to do, especially if you are in enterprises with a large number of databases and applications," he said. Applying these patches means months of labour and sometimes significant downtime, both of which most companies can't afford, he said.

Some application vendors also don't certify Oracle patches to run with their applications, Markovich said.

Another problem is that companies that want to install the most recent Oracle patches need to first ensure that they have already installed the previous patch set, Markovich said.

"The real message here is that people who are in charge of operating systems and even applications have gotten conditioned into paying attention to updating their systems fairly soon after a patch or a fix comes out," Rothman said. In contrast, many database administrators continue to drag their feet when it comes to implementing needed security fixes, he said.

Oracle was not immediately available for comment.

Author: Jaikumar Vijayan @ www.techworld.com

Read more ...

Oracle confident ahead of America's Cup court ruling

US syndicate Oracle on Monday voiced confidence a New York court will back its America's Cup suit against Swiss champion Alinghi, and leave the way open for a catamaran duel to decide the next edition of the event.

Oracle filed a lawsuit in a New York court last summer accusing Alinghi of adopting rules which were unfairly weighted in the Swiss defender's favour, and in November the judge ruled in favour of the US team.

The court had been expected to finalize the ruling on January 14.

But the Golden Gate Yacht Club, which represents Oracle, said a decision was not now expected until next week.

"Justice Herman Cahn of the New York State Supreme Court today heard further arguments on the order and scheduled a hearing for January 23," it said in a statement. "GGYC expects the court will sign the order either then or shortly afterwards."

"We are very pleased with today," club spokesman Tom Ehman said in the statement. "We are confident the court's decision of November 27 will be enforced."

Alinghi has asked the court to reexamine its ruling, arguing that Oracle's original challenge should have been declared inadmissable because it contains "a major flaw in the boat certificate."

But the court is widely expected to stick by its earlier decision and set a date for a catamaran duel in October 2008 for the next race, as sought by Oracle, instead of a conventional America's Cup regatta with several challenghers.

The next edition of yachting's showpiece event was originally planned for 2009 in the Spanish Mediterranean port of Valencia but it has been indefinitely postponed because of the legal dispute.

However, if Alinghi appeals the decision and the legal wrangling continues beyond the end of January it could be too late to organise a duel before 2009, under the the archaic set of rules governing sport's oldest prize known as the Deed of Gift.

But Alinghi said it has already sent two Extreme 40 catamarans to train in Valencia, where they arrived on Monday.

"We are preparing for what could happen," a spokesman for the team said.

The America's Cup first hit the rocks in the aftermath of the hugely successful staging of the 32nd edition won by defender Alinghi against Team New Zealand in Valencia in July.

The crisis was triggered by Alinghi's naming of Spain's Desafio as the official 'Challenger of Record' and a controversial reworking of some of the rules.

Oracle said Alinghi was giving itself an unfair advantage and took their case to court.

The court ruled that Oracle should be the Challenger of Record, meaning it can help negotiate the rules for the next America's Cup.

Source: www.turkishpress.com

Read more ...

Oracle Plans To Patch 21 Security Holes Next Week

Oracle's January patch contains significantly fewer fixes than in previous quarters. In October, the company released 51 fixes; in July, it released 45.

Oracle (NSDQ: ORCL) plans to release a Critical Patch Update for its products on Jan. 15. The patch corrects vulnerabilities in multiple Oracle products.

Oracle said Thursday it plans to release 27 security fixes for its business software, including Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager Grid Control, Oracle PeopleSoft Enterprise PeopleTools, and Oracle PeopleSoft Enterprise Human Capital Management.

Oracle said there were no security fixes forthcoming for its JD Edwards products.

None of the Oracle Database vulnerabilities can be exploited remotely without authentication, meaning an attacker would have to be in possession of a valid user name and password to take advantage of the database flaws.

IT managers may be more concerned about the vulnerabilities in other products. Three of the seven fixes specific to the Oracle E-Business Suite may be exploited remotely, without authentication. One of the four fixes for Oracle's PeopleSoft products also may be exploited remotely, without authentication.

Oracle makes a habit of releasing security patches every three months. Its scheduled January patch contains significantly fewer fixes than in previous quarters. In October, the company released 51 fixes; in July, it released 45.

Security researchers like those with the SANS Institute have noted that attackers are looking for holes in corporate applications more than they had in the past. At the very least, security researchers are finding more such holes: Milw0rm.com, a site that catalogs published code exploits, posted 21 Oracle-related exploits in 2007, five in 2006, and three in 2005.

Author: Thomas Claburn @ www.informationweek.com

Read more ...