FRAMINGHAM 19 JANUARY 2011 - Oracle Corp.'s ability to address vulnerabilities in its core database technologies may be hampered by the vast number of products the company now must manage, security experts say.
For example, the list of Oracle's quarterly security updates released Tuesday includes only six patches for security flaws in the company's flagship database products. The other 60 patches released fix bugs in Oracle's Fusion middleware technologies, its supply chain and CRM software and products gained from its acquisition of Sun Microsystems early last year.
The small number of database patches doesn't necessarily mean that the Oracle technology is becoming more secure, said Alex Rothacker, director of security at Application Security Inc.'s Team Shatter vulnerability assessment group.
Rather, it likely shows that the company doesn't have the capacity to fix the full list of Oracle database flaws reported to it in a timely fashion, said Rothacker, whose team of researchers discovered three of the six database flaws addressed in this week's update.
Several other similar flaws have been reported to Oracle by AppSec, but have not been fixed yet, Rothacker said. In some cases, the unpatched vulnerabilities were reported to Oracle several months ago, he added.
"The number of database fixes from Oracle has really gone down," he said. "But that's not because of a lack of vulnerabilities to fix. They have apparently reassigned their priorities and are choosing not to fix all the database vulnerabilities that are reported to them. It appears that they are losing some of the DBMS focus and are getting spread too thin on other stuff."
Oracle did not respond to a request for comment on the reason for releasing six database patches.
The release of six database patches, compared to nine in the October, 2010, security update, continues a trend that began early last year after the acquisition of Sun, said Amichai Shulman, chief technology officer at database security vendor Imperva.
In all of 2010, Oracle issued patches for 32 database flaws, compared to 54 in 2009, 53 in 2008 and over 70 in 2007.
"There is some bottleneck in their vulnerability patching process that is preventing them from getting back to the pace of fixing [database flaws] that they had a few years ago," Shulman said. "Something about the incorporation of so many different products from so many different vendors, especially Sun, has caused some sort of a problem that doesn't allow them to fix more vulnerabilities each cycle."
According to Shulman, some security researchers who have submitted notice of several vulnerabilities to Oracle are waiting to hear back from the company. "I really would like to think that they are getting better with their product, but honestly, that's not it," he said.
Sign up for Computerworld eNewsletters.