Customers Wait for Oracle Security Patches

Just call it Oracle's May critical patch update.

Three weeks after the database server vendor announced the release of its April 2006 CPU, customers are still waiting for the several important fixes.

The update, which addresses 36 different product flaws, is still undergoing quality assurance testing and is not yet available for download.

On April 18, when the scheduled quarterly update was released, Oracle said the patches would be ready for download on May 1.

Now, according to information posted on the company's Metalink portal, some of the patches won't be ready until May 15.

Oracle declined a request for an interview to discuss the delay, which is being blamed on ongoing patch quality testing. A promised statement was not available at the time this article was published.

Alexander Kornbrust, founder and CEO of Red-Database-Security, said the absence of the patches a full month after the scheduled release date points to a resource problem at the Redwood City, Calif., vendor.

"It's very normal for Oracle to release all the patches for all platforms, but this month it's been extreme. This defeats the purpose of having a scheduled release cycle," Kornbrust said in an interview with eWEEK.

Kornbrust, who regularly reports database and server flaws to Oracle, said the purpose of implementing a rigid patch release cycle is to help DBAs prepare for patch testing and deployment.

"If these DBAs now have to wait weeks and months for the patches, what's the use of having an Oracle patch day?" he asked.

Cesar Cerrudo, founder and CEO of Argeniss Information Security, said patches for Oracle database versions 8.1.7.4, 10.1.0.4, 10.1.0.5 and 10.2.0.2 are among those that are not yet available.

Ziff Davis Media eSeminars invite: Join us on May 8 at 2 p.m. ET as security and identity management experts and Sun Microsystems look at how identity management provisioning can help lower TCO and realize ROI payback.

"Oracle promised them on May 1. Now they are saying some will come on May 10 and others will come on May 15. It's clear they are having big problems," Cerrudo said.

He said Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process.

"For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related," Cerrudo said.

"They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability," he added.

Aaron Newman, database security expert, chief technology officer and co-founder of Application Security, said Oracle customers must start demanding better security practices.

"These aren't random complaints from unhappy researchers," Newman said, referring to the comments from Kornbrust and Cerrudo. "They need to admit their procedures aren't working and seek help getting it fixed."

David Litchfield, co-founder of British database security outfit Next Generation Security Software, believes Oracle should invest more resources into its patch creation and quality assurance processes.

"[They] should expend more effort on securing extant code in preference to writing new code [and] rework their security tools," Litchfield said in an e-mail interview.

"Researchers have proved that Oracle's code scanning tools have failed to a large extent—now Oracle should work out why and change the tools accordingly," he added.

Lisa Vaas contributed to this report.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.