Many Oracle Users Don't Apply Security Patches - InformationWeek
Software // Enterprise Applications
09:32 PM
Connect Directly
Full Security Visibility: An Introduction to SysSecOps
Jun 06, 2017
Systems and security operations - SysSecOps - is a growing approach that integrates endpoint monit ...Read More>>

Many Oracle Users Don't Apply Security Patches

A survey of more than 300 Oracle users in more than a dozen cities by Sentrigo found that two-thirds had never applied an Oracle security patch.

Oracle on Tuesday is scheduled to issue 21 patches for its database, applications, and related products, a move that reflects a four-year old patching process. But a software executive who's been visiting Oracle user groups says only a third of Oracle database administrators adopt the patches.

Slavik Markovich, chief technology officer of Sentrigo, a database security firm, said he's been making presentations at Oracle Users Groups around the U.S. since August, and at each one he asks for a show of hands on how many attendees have adopted one of the two most recent Oracle Critical Patch Updates. He also asks how many have adopted at least one update since Oracle started issuing them.

Starting with the Capital Area Oracle User Group in Reston, Va., the answers that he's gotten have surprised him. At that meeting last August, two out of 40 attendees said they had installed one of the two latest patches; 15 said they had installed at least one patch in the four years of the program. That left 62.5% who had not installed any patches since the program began in November 2004.

After visiting Oracle user groups in South Florida, Chicago, Salt Lake City, Buffalo, Los Angeles, and nine other locations, including Reston, he had polled 305 attendees, with a Sentrigo staff member recording the results, and they remained much the same as at that first meeting. Only 10% had applied the most recent patches; 67.5% said they had never applied one.

"That leaves many databases vulnerable to what are now publicly known vulnerabilities," he said in an interview from Sentrigo's research and development unit in Kfar Saba, Israel, outside Tel Aviv. Markovich was a database consultant hired to develop a protective layer for Sony Computers Entertainment America when he realized many companies must have the same security concerns as Sony. He founded Sentrigo to develop the Sony spot solution into a general product, Sentrigo Hedgehog.

Markovich said it's ironic that Oracle, in trying to address security concerns about its applications and database system, is also putting good information into the hands of malware makers and script kiddie-type intruders. At hacking sites, scripts appear shortly after an Oracle Critical Patch Update that illustrate how to exploit the vulnerabilities.

"As soon as a [Critical Patch Update] is published, you can see hacker sites filled with scripts that take advantage of the listed exposures," he said.

It's an old dilemma for software makers whether to draw attention to exposures and methods of attack. Oracle issues only patches, not a description of the part of the database or application or application server that they are meant to fix. But Markovich says the patches betray the vulnerabilities and experimentation illustrates how to exploit them.

He urges database administrators to adopt the portion of the patches that apply to them and consider an additional layer of protection, such as Hedgehog, if possible. If they can't do all the testing needed to apply the patches, then Hedgehog is a way to apply "a virtualized patch," or a protective layer outside the database that can prevent most attacks.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll