By Charles Babcock
January 14, 2008
Oracle (NSDQ: ORCL) on Tuesday is scheduled to issue 21 patches for its
database, applications, and related products, a move that reflects a
four-year old patching process. But a software executive who's been
visiting Oracle user groups says only a third of Oracle database
administrators adopt the patches.
Slavik Markovich, chief technology officer of Sentrigo, a database
security firm, said he's been making presentations at Oracle Users
Groups around the U.S. since August, and at each one he asks for a show
of hands on how many attendees have adopted one of the two most recent
Oracle Critical Patch Updates. He also asks how many have adopted at
least one update since Oracle started issuing them.
Starting with the Capital Area Oracle User Group in Reston, Va., the
answers that he's gotten have surprised him. At that meeting last
August, two out of 40 attendees said they had installed one of the two
latest patches; 15 said they had installed at least one patch in the
four years of the program. That left 62.5% who had not installed any
patches since the program began in November 2004.
After visiting Oracle user groups in South Florida, Chicago, Salt Lake
City, Buffalo, Los Angeles, and nine other locations, including Reston,
he had polled 305 attendees, with a Sentrigo staff member recording the
results, and they remained much the same as at that first meeting. Only
10% had applied the most recent patches; 67.5% said they had never
"That leaves many databases vulnerable to what are now publicly known
vulnerabilities," he said in an interview from Sentrigo's research and
development unit in Kfar Saba, Israel, outside Tel Aviv. Markovich was a
database consultant hired to develop a protective layer for Sony
Computers Entertainment America when he realized many companies must
have the same security concerns as Sony. He founded Sentrigo to develop
the Sony spot solution into a general product, Sentrigo Hedgehog.
Markovich said it's ironic that Oracle, in trying to address security
concerns about its applications and database system, is also putting
good information into the hands of malware makers and script kiddie-type
intruders. At hacking sites, scripts appear shortly after an Oracle
Critical Patch Update that illustrate how to exploit the
"As soon as a [Critical Patch Update] is published, you can see hacker
sites filled with scripts that take advantage of the listed exposures,"
It's an old dilemma for software makers whether to draw attention to
exposures and methods of attack. Oracle issues only patches, not a
description of the part of the database or application or application
server that they are meant to fix. But Markovich says the patches betray
the vulnerabilities and experimentation illustrates how to exploit them.
He urges database administrators to adopt the portion of the patches
that apply to them and consider an additional layer of protection, such
as Hedgehog, if possible. If they can't do all the testing needed to
apply the patches, then Hedgehog is a way to apply "a virtualized
patch," or a protective layer outside the database that can prevent most
Subscribe to InfoSec News