Oracle to release patches for multiple vulnerabilities

Oracle to release patches for multiple vulnerabilities

  • Comments 9

Oracle is preparing to release patches for a number of vulnerabilities, but apparently has delayed their release until a new distribution system is ready. Clearly, it’s a good thing that they’re getting the patches ready, but it seems to me that Microsoft has gotten a lot of grief for delaying patches for a variety of reasons…will Oracle be held to the same standard? Will /. pick this issue up and discuss it?

 

--Oracle to Address 34 Flaws

(3 August 2004)

Oracle plans to release patches to fix 34 vulnerabilities in its database software.  The vulnerabilities include buffer overflow and SQL injection flaws; some are easy to exploit while others require a fair amount of technical ability.  Next Generation Security (NGS) Software said that while it discovered the vulnerabilities and informed Oracle early this year, Oracle is delaying the release of the fixes until its new patch distribution system is ready for release.  The delay has prevented NGS from discussing details of the vulnerabilities with others in the security field.

http://www.computerworld.com/printthis/2004/0,4814,95013,00.html

 

            [via SANS Newsbites]

 

I’ll be interested to see what the advocates of early disclosure have to say about this.

  • It's been talked about in a number of locations. Oracles known about these 34(!) vulnerabilities since January/February!

    Phil
  • If they were to pick it up it wont be treated as negatively as a Microsoft story. In the /. world, Microsoft is evil and Oracle is far nicer, after all, “they support Linux by shipping software for it” many would say. Of course, if it was in the context of a “Which is better, Oracle or <insert name of OSS based database>?” Oracle will of course lose because they believe in keeping their source, oh such naughty people!
  • That's a very different situation.. Usually the database system is not connected to the internet, in the way MS Windows machines are..

    Specially if you use Oracle, your DB will be FOR SURE behind dozens of firewalls, servers, etc... Different from MSSQL, that are very often used for web, and installed on the same machine as the webserver.

    The risks involved on a Oracle update and a Windows update are VERY different.

  • Eduardo,

    FWIW, the consistent best practice recommendation for SQL Server is that it be run behind a firewall, and NOT be on the same machine as the Web or app server. And I don't buy your statement that "if you use Oracle, your DB will be FOR SURE behind dozens of firewalls, servers, etc". First of all, "dozens" is almost certainly a gross exaggeration. And while it may be less likely that an Oracle DB server is sitting outside the firewall, it's hardly unheard of. Beyond that, many attacks don't come from outside the firewall, they come from inside. A vulnerability that allows anyone to gain administrative access to the DB server can be just as dangerous inside the firewall as outside.

    "The risks involved on a Oracle update and a Windows update are VERY different."

    Could you elaborate? Different how? And how, exactly, does that difference justify a delay of more than six months in the release of patches for known critical vulnerabilities?

  • I concur with Edoardo ...
    it's a bit like a super expensive -half a million $- car .... nobody would "park" it in a bad neighborhood overnight ....

    in the investment bank I work Oracle, DB2 and Sybase dbs are super protected, with dedicated boxes, subnets, firewalls, intrusion detection and DBA specialists (vendors staff) looking after them, while MSSQL are just sitting around without even an IPSEC setup ....
    often price determines perception ...
  • "in the investment bank I work Oracle, DB2 and Sybase dbs are super protected, with dedicated boxes, subnets, firewalls, intrusion detection and DBA specialists (vendors staff) looking after them, while MSSQL are just sitting around without even an IPSEC setup ....
    often price determines perception "

    If that's the case, then someone should fire the people responsible for the SQL Server machines.

    Nevertheless, while it's all well and good that *your* Oracle machines are that well protected, I can tell you from my experience that there are plenty of Oracle machines out there that are not nearly so locked down. And anyway, should the fact that some Oracle installs are well-protected via network security excuse a months-long delay in the release of critical patches? Certainly no one would suggest that such a delay in a Microsoft patch was OK, no matter what mitigating factors existed. That's my point here.
  • "in the investment bank I work Oracle, DB2 and Sybase dbs are super protected, with dedicated boxes, subnets, firewalls, intrusion detection and DBA specialists (vendors staff) looking after them, while MSSQL are just sitting around without even an IPSEC setup ....
    often price determines perception "
    :) this thing just means that the data in your M$SQL Server databases is not important enough to be protected. If you are a good DBA you protect what ever database u're responsible for, even if it is MySQL, Oracle, DB2...or even Access. A good DBA is not an Oracle DBA...or a DB2 one...or an SQL Server DBA...a good DBA is one that get his work done well and in time and if he has to protect his databases...he must protect them all...not just "ORACLE" ones..:) I like Oracle...it's my first love for databases...but this doesn't make me think that if I have some Oracle DB skills I'm better than my colleague that knows MSSQL Server better than me..:) So...if we talk about protection...let's protect our databases in a way that we don't depend exclusively on the "patches". If we would use the best practices that we read from different books or articles we wouldn't have to suffer so much because we don't have the patches.
  • I've got a great idea. Lets stop the whining about tools and how hard done by <insert your favorite software company here> is by the press or the public or whoever.

    The fact is that software is developed by humans who are not correct 100% of the time and some of whom who have not been adequately trained in tools, theory, and problem solving. Add to that vague requirements from end users and management and you have a recipe for disaster (i.e. Windows ME, okay unfair shot, I know).

    Why not just be happy that vendors willing to fix their software by patching it, opposed to having you pay for the upgrades. I know someone will say, "But it is their responsibility, NO OBLIGATION". Right, I agree, but lets stop slagging every company out there for the mistakes that come to light days, weeks, or years after the application or OS has come out when they try to make things right (at least for another couple of days).
  • 'tired',

    I don't know that I disagree with your overall point. My post was merely an observation on the delta between how the world appears to view Microsoft's patch timing vs. other vendors. No whining here...the world's not a fair place, and all that, but I do think it's something worthy of discussion. Thanks for your comment.
Page 1 of 1 (9 items)