Oracle's fast growing product set may be hampering its ability to create patches for database flaws in a timely fashion, security experts say.
The list of Oracle's quarterly security updates released Tuesday includes only six patches for security flaws in the company's flagship database products. The other 60 patches released fix bugs in Oracle's Fusion middleware technologies, its supply chain and CRM software and products gained from its acquisition of Sun Microsystems early last year.
The small number of database patches doesn't necessarily mean that the Oracle technology is becoming more secure, said Alex Rothacker, director of security at Application Security Inc.'s Team Shatter vulnerability assessment group.
Rather, it likely shows that the company doesn't have the capacity to fix the full list of Oracle database flaws reported to it in a timely fashion, said Rothacker, whose team of researchers discovered three of the six database flaws addressed in this week's update.
Several other similar flaws have been reported to Oracle by AppSec, but have not been fixed yet, Rothacker said. In some cases, the unpatched vulnerabilities were reported to Oracle several months ago, he added.
"The number of database fixes from Oracle has really gone down," he said. "But that's not because of a lack of vulnerabilities to fix. They have apparently reassigned their priorities and are choosing not to fix all the database vulnerabilities that are reported to them. It appears that they are losing some of the DBMS focus and are getting spread too thin on other stuff."
Oracle did not respond to a request for comment on the reason for releasing six database patches.
The release of six database patches, compared to nine in the October, 2010, security update, continues a trend that began early last year after the acquisition of Sun, said Amichai Shulman, chief technology officer at database security vendor Imperva.
In all of 2010, Oracle issued patches for 32 database flaws, compared to 54 in 2009, 53 in 2008 and over 70 in 2007.
"There is some bottleneck in their vulnerability patching process that is preventing them from getting back to the pace of fixing [database flaws] that they had a few years ago," Shulman said. "Something about the incorporation of so many different products from so many different vendors, especially Sun, has caused some sort of a problem that doesn't allow them to fix more vulnerabilities each cycle."
According to Shulman, some security researchers who have submitted notice of several vulnerabilities to Oracle are waiting to hear back from the company. "I really would like to think that they are getting better with their product, but honestly, that's not it," he said.
Stephen Kost, chief technology officer at security vendor Integrigy, noted that IT managers must also deal with Oracle's continuing reluctance to release full details of the flaws it is patching. Unlike Microsoft and other vendors, which release detailed information on each flaw and their patches, Oracle simply releases patches and offers little data on the flaws.
"One piece of information that Oracle does not release is what should be tested when I apply the patch," Kost said. "What should I be testing from a functional perspective; what might I break? Right now I don't know,"
According to Kost, while most of the flaws in Oracle's core database may have been addressed in recent security updates, the number of flaws in ancillary technologies such as Oracle Database Vault and Oracle Audit Vault are not quickly patched. "Products that are supporting the Oracle database are the places where you find problems. That doesn't lessen the risk," but just moves it to another place, he said.