[ISN] Researchers Say Oracle Leaves Databases Needlessly Vulnerable

From: InfoSec News <alerts_at_private>
Date: Thu, 1 Dec 2011 02:33:48 -0600 (CST)
http://www.darkreading.com/database-security/167901020/security/news/232200517/researchers-say-oracle-leaves-databases-needlessly-vulnerable.html

By Ericka Chickowski
Contributing Editor
Dark Reading
Nov 30, 2011

Is Oracle just paying lip service to database security? Some researchers 
within the database community think so, complaining that as the software 
juggernaut has grown with acquisitions such as the blockbuster Sun deal 
it hasn't maintained enough resources to securely develop database 
products and resolve vulnerabilities disclosed by researchers in a 
timely fashion.

"I would say easy fixes get done pretty quickly, within three to six 
months, but things that are harder and need some changes in architecture 
or have an impact on customers where customers have to make some changes 
to their products, to their software that uses the databases, those 
things don't get done in the CPU," says Alex Rothacker, manager of 
Application Security Inc.'s research arm, TeamSHATTER. "We have a 
vulnerability disclosed where basically we can brute force any users 
password and we reported this two years ago and they haven't fixed it 
yet."

It's a complaint lodged by many researchers, who say that even as Oracle 
publicly states it wants to work with the research community to fix 
database issues, it isn't putting its shoulder into the effort. The 
numbers show that over the past several years, the proportion of 
quarterly critical patch updates for Oracle database products has 
diminished considerably over the last two years.

While some might come to the conclusion that there are fewer updates 
because Oracle's products are getting more secure, researchers say this 
trend has occurred simultaneously as the window between disclosure of 
vulnerabilities and patch releases for them has grown wider.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn
Received on Thu Dec 01 2011 - 00:33:48 PST

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 00:42:46 PST