Oracle’s ‘thrown in the towel’ on database patching, researcher claims
A security researcher today criticized Oracle for neglecting to patch its core database products, noting that the massive update slated for later Tuesday will set a record for the fewest fixes.
Alex Rothacker, director of security research of Application Security's TeamShatter vulnerability group, said that Oracle has "thrown in the towel on fixing database vulnerabilities."
"Assuming the January 2012 CPU [critical patch updates] report stays the same as the preview, they will have set a new record low of just two database fixes," said Rothacker in an email today.
The preview Rothacker referred to was the pre-patch notification Oracle issued last week that said it would patch 78 vulnerabilities altogether, 27 of them in the MySQL database, but only two in its Oracle Database products.
The two patches beats the previous low of five database fixes that Oracle issued last October.
"The trend since January 2010 has been a straight line going down," said Rothacker in a Monday interview. "And it's not that those products are less vulnerable.
Rothacker cited nine bugs that his team has reported to Oracle over the last six to 12 months, but which have not yet been patched, as evidence that Oracle Database contains vulnerabilities.
Two or three of the nine, said Rothacker, are serious enough that his team of researchers rank them as high risks, and think should have been patched by now.
"There are still issues that they're not fixing," said Rothacker, "including several currently open in the Enterprise Manager, a tool where you can manage databases and apply patches."
Rothacker believes there's a correlation between the drop in database patches and Oracle's acquisition of Sun Microsystems.
"The drop in database fixes started around the time that Oracle acquired Sun and began issuing more fixes for its Fusion Middleware," said Rothacker.
Oracle announced plans to acquire Sun in April 2009, but did not receive blessing from U.S. and European Union antitrust regulators until later that year. The merger became official in January 2010.
Today's CPU will include 17 patches for Sun-branded products and 11 for Fusion Middleware.
Oracle has noted the drop in database patches, too, but offers a different explanation.
"As the Oracle Database Server code base has matured, Oracle's ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base," said Eric Maurice, director of the company's security assurance program, in a December 2011 blog post. "Unless circumstances change drastically -- as a result of, for example, the discovery of new exploit vectors -- we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced."
Maurice said that the number of vulnerabilities in its database line-up have decreased over the last three-to-four years, and that Oracle's secure coding efforts -- an initiative similar to Microsoft's Security Development Lifecycle (SDL) program -- have helped reduce the number of bugs in newer code.
Rothacker countered. "I just can't agree with that," he said today. "We're reporting about the same amount [of bugs] to them, but they're fixing fewer."
In 2011, Oracle patched five database vulnerabilities in October, 16 in July, and six each in April and January. All four CPUs issued in 2010 included database fixes in single digits, while the four in 2009 each contained a double-digit number of database patches.
Oracle today declined to comment on Rothacker's claims, but said it would publish commentary on today's CPU when it issues the update.
(Source: computerworld.com)