http://www.darkreading.com/database-security/167901020/security/news/232200517/researchers-say-oracle-leaves-databases-needlessly-vulnerable.html By Ericka Chickowski Contributing Editor Dark Reading Nov 30, 2011 Is Oracle just paying lip service to database security? Some researchers within the database community think so, complaining that as the software juggernaut has grown with acquisitions such as the blockbuster Sun deal it hasn't maintained enough resources to securely develop database products and resolve vulnerabilities disclosed by researchers in a timely fashion. "I would say easy fixes get done pretty quickly, within three to six months, but things that are harder and need some changes in architecture or have an impact on customers where customers have to make some changes to their products, to their software that uses the databases, those things don't get done in the CPU," says Alex Rothacker, manager of Application Security Inc.'s research arm, TeamSHATTER. "We have a vulnerability disclosed where basically we can brute force any users password and we reported this two years ago and they haven't fixed it yet." It's a complaint lodged by many researchers, who say that even as Oracle publicly states it wants to work with the research community to fix database issues, it isn't putting its shoulder into the effort. The numbers show that over the past several years, the proportion of quarterly critical patch updates for Oracle database products has diminished considerably over the last two years. While some might come to the conclusion that there are fewer updates because Oracle's products are getting more secure, researchers say this trend has occurred simultaneously as the window between disclosure of vulnerabilities and patch releases for them has grown wider. [...] _____________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isnReceived on Thu Dec 01 2011 - 00:33:48 PST
This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 00:42:46 PST