Oracle should patch database vulnerabilities more frequently and be more open about what the flaws are, a security expert has claimed.
Imperva chief technology officer (CTO) Amichai Shulman said Oracle used to issue fixes on a more regular basis, even when they had far fewer products.
"One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products," Shulman said.
"The quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year."
Shulman said he could not believe "there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities."
Furthermore, the CTO said Oracle did not elucidate enough on what the vulnerabilities were.
"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits," he added.
"Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening."
Oracle chose not to comment on Shulman's statement.
However, Oracle has included a new document in the critical patch update to help administrators better understand the related security vulnerabilities.
"This text summary of the risk matrices will always include the same information as the standard risk matrices, and is designed for individuals who may not be very familiar with the application of the CVSS standard and its interpretation," Oracle said in a blog.
Shulman's comments came a day after Oracle released its January 2011 Critical Patch Update, which covered 66 vulnerabilities across a range of products.
A total of 16 fixes were for Oracle's Fusion Middleware offering alone two of which had maximum CVSS Base Score of 10.0.
A fix for an Oracle Audit Vault vulnerability, which was also handed the maximum CVSS Base Score, was issued.
"We are seeing fixes for remote execution without authentication, which is very severe," Shulman added.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Organizations shift away from Oracle Java as pricing changes biteNews A survey from Azul Systems finds that, along with cost, customers cite a preference for open source and the threat of a Java usage audit
-
Why Java 17 growth is ‘exploding’News Java 17 is now the most popular LTS version, according to application data from New Relic, but what's driving this growth?
-
SuiteWorld 2023: NetSuite's day-two announcementsLive Blog Keep up-to-date with all the day-two announcements from NetSuite SuiteWorld 2023
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five monthsNews The tech giant has refuted claims that its practices have left customers “in the dark”
-
Ubuntu shifts to four-week update cycleNews Critical fixes will also come every two weeks, mitigating the issues involved with releasing prompt patches on the old three-week cadence
-
Can Oracle really be Linux's knight in shining armor?Opinion The self-proclaimed champion of open source freedom would like you to forget about its history
-
Microsoft angers admins as April Patch Tuesday delivers password feature without migration guidanceNews Security fixes include a zero day exploited by a ransomware group and seven critical flaws
-
Oracle’s Java subscription changes spark concerns over cost hikes for smaller businessesNews Smaller businesses could incur significant cost hikes as high as 1,400% with most new customers expected to pay at least double
