Imperva CTO blasts Oracle patching
By Tom Brewster,
Oracle should patch database vulnerabilities more frequently and be more open about what the flaws are, a security expert has claimed.
Imperva chief technology officer (CTO) Amichai Shulman said Oracle used to issue fixes on a more regular basis, even when they had far fewer products.
“One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products,” Shulman said.
“The quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year.”
Shulman said he could not believe “there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.”
Furthermore, the CTO said Oracle did not elucidate enough on what the vulnerabilities were.
“Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits,” he added.
“Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.”
Oracle chose not to comment on Shulman’s statement.
However, Oracle has included a new document in the critical patch update to help administrators better understand the related security vulnerabilities.
“This text summary of the risk matrices will always include the same information as the standard risk matrices, and is designed for individuals who may not be very familiar with the application of the CVSS standard and its interpretation,” Oracle said in a blog.
Shulman's comments came a day after Oracle released its January 2011 Critical Patch Update, which covered 66 vulnerabilities across a range of products.
A total of 16 fixes were for Oracle’s Fusion Middleware offering alone – two of which had maximum CVSS Base Score of 10.0.
A fix for an Oracle Audit Vault vulnerability, which was also handed the maximum CVSS Base Score, was issued.
"We are seeing fixes for remote execution without authentication, which is very severe," Shulman added.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- UK regulator shuts down Angry Birds scam
- Apple iPad 3 vs iPad 2 head-to-head review
- IBM bans use of Siri on iPhones
- Chromebooks: What's gone wrong?
- HP plans massive job cuts
- EMC World 2012: Tucci declares Documentum is here to stay
- Dell EqualLogic PS6100XS review
- Macs and Android under malware threat
- RIM loses its head of sales
- Local fibre broadband needs common standards
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
