January 19, 2011, 2:00 PM — Oracle delivered its quarterly montage of patches and updates this week. The quarterly release cycle--like Microsoft's monthly Patch Tuesday--is designed to provide some stability and predictability for the IT admins who have to test and implement the patches, but at least one security expert thinks the Oracle system needs some work.
The January 2011 CPU (critical patch update) from Oracle addressed a total of 43 Oracle security vulnerabilities, and another 23 related to Sun software. It is a bit on the low side compared with recent CPUs, but still within the realm of normal for an Oracle quarterly update. So, why is that a problem?
Amichai Shulman, CTO of Imperva--a Web and database security company--has reviewed the Oracle CPU and provides the following analysis. "Oracle patching needs fixing."
Shulman elaborates, "The quarterly patch cycle has seen a slowdown in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can't believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities," adding, "In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products."
To that point, during the two year timeframe that Oracle has been following the quarterly patch update cycle, it has also acquired an additional fourteen companies including Virtual Iron and Sun Microsystems. It seems reasonable to expect that incorporating products and tools from fourteen new companies should make the vulnerability and patch count increase. To be fair, though, Java updates are not included in these numbers because Oracle has established a separate update cycle dedicated to Java.
Shulman also takes issue with the lack of clarity or disclosure from Oracle. Oracle has chosen to make it a policy not to elaborate on vulnerability details, citing concerns that hackers would use the information to develop exploits. However, attackers probably knew about the holes before Oracle, and have the ability to reverse-engineer the patch to find the root vulnerability, so really it is only Oracle customers who are left in the dark without the information necessary to make informed risk assessments.