Gartner Bashes Oracle Over Security

Oracle security practices are raising red flags, a Gartner analyst recently warned, and administrators should hunker down in protecting their database systems.

Just five days after Oracle released a critical security update that patched 82 vulnerabilities, a Gartner researcher said in an online advisory that "Oracle can no longer be considered a bastion of security."

"The range and seriousness of the vulnerabilities patched in this update cause us great concern," wrote Rich Mogull. "The database products alone include 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access. Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur."

Mogull noted that Oracle administrators had avoided patching by relying on the database's strong security and the fact that the software was deployed deep within an enterprise's defenses. That no-patching procedure won't cut it now.

"Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet," said Mogull. He also blasted Oracle for providing too little information about vulnerabilities, rolling out low-quality patches, and neglecting to offer workarounds.To keep databases secure, he recommended that companies shield all Oracle systems, patch known bugs -- "because incomplete information from Oracle will make shielding incomplete," he said in an aside -- and pressure Oracle to get on the security stick.

Many of the same criticisms were leveled at Microsoft years ago, prompting the Redmond, Wash.-based developer to make major changes in its security practices.

Other organizations expressed concern with the massive Oracle update, including security giant Symantec, which raised its overall Internet risk monitor, dubbed ThreatCon, for several days to level "2" in its 1-5 scale. Symantec has since lowered ThreatCon to "1," a normal practice after time has gone by without an exploit appearing against just-disclosed vulnerabilities.