Oracle issues dozens of security patches every quarter, but many database administrators are not implementing them because of the complexity of the processes involved.
A good two-thirds of all Oracle DBAs appear not to be installing Oracle's security patches at all, no matter how critical the vulnerabilities may be, according to survey results from Sentrigo, US-based vendor of database security products.
The results are "surprising, and to be candid, quite frightening," said Mike Rothman, president of consulting firm Security Incite in Atlanta.
Sentrigo polled 305 Oracle database administrators from 14 Oracle user groups across the US between August 2007 and January 2008. The company asked the administrators two questions: whether they had installed the latest Oracle patches, and whether they had ever installed any of Oracle's security updates.
The results, which come even as Oracle is scheduled to release its next batch of quarterly Critical Patch Updates today, showed that 206 out of the 305 surveyed said they had never applied any Oracle Critical Patch Updates. Just 31 said they had installed the most recent security update from the company. In total, only one-third said they had ever installed an Oracle Critical Patch Updates .
Commenting on the results, Oracle said the company "encourages organiSations [to] apply Critical Patch Updates in a timely fashion to maintain their security posture."
"Critical Patch Updates for the Oracle Database are cumulative for the patch set to which they apply, making it easier for customers to keep their systems current with the latest security patch updates," the company said.
The results support what Sentrigo has been hearing anecdotally for sometime, said Slavik Markovich, chief technology officer at Sentrigo. "Some database administrators don't even monitor for Oracle's Critical Patch Updates. They don't even know when the Critical Patch Updates come out," he said. "Sometimes, even if their security department tells them to deploy it, they just ignore it," he said.
There are two major reasons for the trend, Markovich said. The first and most important is that most DBAs fear the consequences of installing a patch on a running database, he said.