Security Experts Probe Oracle Patches

While the number of products in the Oracle stables has risen dramatically, the number of quarterly security patches has noticeably declined.
Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)

On Tuesday, Oracle released 66 patches -- 34 of which could be remotely exploited without authentication -- involving 28 products or product suites. But was that enough?

"In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products," blogged Amichai Shulman, CTO of Imperva.

For example, this week Oracle fixed six vulnerabilities across its database products, two of which could be remotely exploited without authentication. Furthermore, the massive E-Business Suite only saw two fixes, while PeopleSoft and JD Edwards received 12 patches. All appeared to be susceptible to a SQL injection attack.

Oracle released few details about the specific vulnerabilities, noting only that "due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible."

Shulman questioned the lack of additional detail. "This lack of transparency is outrageous behavior. Vendors expect researchers to share details with them responsibly, yet they fail to do the same with security vendors and their customers," said Shulman. "Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing."

Furthermore, he said, it complicates organizations' efforts to effectively deal with whatever vulnerabilities are in their Oracle products. That's because few businesses would risk installing patches on production systems. Instead, each patch typically requires weeks if not months of vetting.

But once security updates get released, IT managers are in a race with online criminals to see which comes first: successful patching and testing, or attackers successfully reverse-engineering the Oracle patches and launching attacks which exploit them.

Which will happen first? "Exploits may emerge over the next few days, but we'll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment," Shulman said.

Oracle said its next quarterly patch release will occur on April 19.