Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Researchers Say Oracle Leaves Databases Needlessly Vulnerable

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 1 Dec 2011 02:33:48 -0600 (CST)
http://www.darkreading.com/database-security/167901020/security/news/232200517/researchers-say-oracle-leaves-databases-needlessly-vulnerable.html

By Ericka Chickowski
Contributing Editor
Dark Reading
Nov 30, 2011
Is Oracle just paying lip service to database security? Some researchers within the database community think so, complaining that as the software juggernaut has grown with acquisitions such as the blockbuster Sun deal it hasn't maintained enough resources to securely develop database products and resolve vulnerabilities disclosed by researchers in a timely fashion.
"I would say easy fixes get done pretty quickly, within three to six months, but things that are harder and need some changes in architecture or have an impact on customers where customers have to make some changes to their products, to their software that uses the databases, those things don't get done in the CPU," says Alex Rothacker, manager of Application Security Inc.'s research arm, TeamSHATTER. "We have a vulnerability disclosed where basically we can brute force any users password and we reported this two years ago and they haven't fixed it yet."
It's a complaint lodged by many researchers, who say that even as Oracle publicly states it wants to work with the research community to fix database issues, it isn't putting its shoulder into the effort. The numbers show that over the past several years, the proportion of quarterly critical patch updates for Oracle database products has diminished considerably over the last two years.
While some might come to the conclusion that there are fewer updates because Oracle's products are getting more secure, researchers say this trend has occurred simultaneously as the window between disclosure of vulnerabilities and patch releases for them has grown wider. 

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn
Previous By Date Next
Previous By Thread Next

Current thread: