Oracle's patches are typically released once a quarter on the same Tuesday that Microsoft releases its monthly patches. But unlike the case with Microsoft's patches, there usually is no immediate rush to deploy Oracle's database fixes, Shulman and Markovich said.
In many cases, companies, especially large ones with many databases, are reluctant to bring down production databases to implement new patches. Many are also wary about deploying untested patches in live environments or need to wait for their packaged application vendors to test and certify the patches before they can be deployed, they said.
As a result, there usually is a considerable lag time between when a patch becomes available from Oracle and when it gets deployed. In some cases, the lag can be months. Other users simply skip entire patch cycles and choose to deploy the patches on a yearly or twice-yearly basis, they said.
Sentrigo polled 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008 and found that two-thirds of Oracle DBAs apparently are not installing Oracle's security patches at all, no matter how critical the vulnerabilities are.
Such practices can leave companies dangerously exposed to attacks directed against database vulnerabilities, Markovich said. Just as in the Windows world, security researchers and malicious attackers are able to reverse-engineer Oracle patches to figure out ways to exploit a vulnerability. The longer a company leaves a hole unpatched, the greater the risk that someone will find a way to take advantage of it, he said.
At the very least, companies that are unwilling or unable to deploy database patches quickly need to implement work-arounds that protect them from the flaws, Shulman added.
Oracle's latest patches come in the wake of a recent study by the Independent Oracle Users Group (IOUG) in which a large number of respondents expressed serious reservations about the security of their database environments.