A security researcher today pointed to Oracle
for neglecting to patch its core database products.Alex Rothacker, director of
security research of Application Security's Team Shatter vulnerability group,
said that Oracle has "thrown in the towel on fixing database vulnerabilities."
"Assuming the January 2012 CPU [critical patch
updates] report stays the same as the preview, they will have set a new record
low of just two database fixes," said Rothacker in an email today.
Rothacker cited nine bugs that his team has
reported to Oracle over the last six to 12 months, but which have not yet been
patched, as evidence that Oracle Database contains vulnerabilities. Two or three
of the nine, said Rothacker, are serious enough that his team of
researchers rank them as high risks, and think should have been patched by now.
but "There are still issues that they're not fixing," said Rothacker
Oracle has noted the drop in database patches,
too, but offers a different explanation.
"As the Oracle Database Server code base has
matured, Oracle's ongoing security assurance activities have weeded out many of
the vulnerabilities that were contained in the code base," said Eric Maurice,
director of the company's security assurance program, in a
December 2011 blog post. "Unless circumstances change drastically -- as a
result of, for example, the discovery of new exploit vectors -- we expect that
the number of Oracle Database Server vulnerabilities fixed in each Critical
Patch Update will remain at relatively lower level than previously experienced."
Maurice said that the number of
vulnerabilities in its database line-up have decreased over the last
three-to-four years, and that Oracle's secure coding efforts -- an initiative
similar to Microsoft's Security Development Lifecycle (SDL) program -- have
helped reduce the number of bugs in newer code.
Rothacker countered. "I just can't agree
with that," he said today. "We're reporting about the same amount [of bugs] to
them, but they're fixing fewer."
In 2011, Oracle patched five database
vulnerabilities in October, 16 in July, and six each in April and January. All
four CPUs issued in 2010 included database fixes in single digits, while the
four in 2009 each contained a double-digit number of database patches.
Oracle today declined to comment on Rothacker's
claims, but said it would publish commentary on today's CPU when it issues the
update.