Oracle on Tuesday is scheduled to issue 21 patches for its database, applications, and related products, a move that reflects a four-year old patching process. But a software executive who's been visiting Oracle user groups says only a third of Oracle database administrators adopt the patches.

Slavik Markovich, chief technology officer of Sentrigo, a database security firm, said he's been making presentations at Oracle Users Groups around the U.S. since August, and at each one he asks for a show of hands on how many attendees have adopted one of the two most recent Oracle Critical Patch Updates. He also asks how many have adopted at least one update since Oracle started issuing them.

Starting with the Capital Area Oracle User Group in Reston, Va., the answers that he's gotten have surprised him. At that meeting last August, two out of 40 attendees said they had installed one of the two latest patches; 15 said they had installed at least one patch in the four years of the program. That left 62.5% who had not installed any patches since the program began in November 2004.

After visiting Oracle user groups in South Florida, Chicago, Salt Lake City, Buffalo, Los Angeles, and nine other locations, including Reston, he had polled 305 attendees, with a Sentrigo staff member recording the results, and they remained much the same as at that first meeting. Only 10% had applied the most recent patches; 67.5% said they had never applied one.

"That leaves many databases vulnerable to what are now publicly known vulnerabilities," he said in an interview from Sentrigo's research and development unit in Kfar Saba, Israel, outside Tel Aviv. Markovich was a database consultant hired to develop a protective layer for Sony Computers Entertainment America when he realized many companies must have the same security concerns as Sony. He founded Sentrigo to develop the Sony spot solution into a general product, Sentrigo Hedgehog.

Markovich said it's ironic that Oracle, in trying to address security concerns about its applications and database system, is also putting good information into the hands of malware makers and script kiddie-type intruders. At hacking sites, scripts appear shortly after an Oracle Critical Patch Update that illustrate how to exploit the vulnerabilities.

"As soon as a [Critical Patch Update] is published, you can see hacker sites filled with scripts that take advantage of the listed exposures," he said.

It's an old dilemma for software makers whether to draw attention to exposures and methods of attack. Oracle issues only patches, not a description of the part of the database or application or application server that they are meant to fix. But Markovich says the patches betray the vulnerabilities and experimentation illustrates how to exploit them.

He urges database administrators to adopt the portion of the patches that apply to them and consider an additional layer of protection, such as Hedgehog, if possible. If they can't do all the testing needed to apply the patches, then Hedgehog is a way to apply "a virtualized patch," or a protective layer outside the database that can prevent most attacks.