A new strategy for applying Oracle patches
Security firm says install Oracle database patches immediately, other Oracle patches later
- By Joab Jackson
- May 20, 2009
Every four months, Oracle releases a batch of patches that fix the most recent vulnerabilities in all of its products. And with each release, the company urges that each and everyone one of these patches be applied immediately.
However, a security firm that specializes in Oracle products is taking exception to this prescription.
"Oracle's mentality is to apply them all right now. We don't think that is realistic in most organizations," said Stephen Kost, chief technology officer for the e-business security consulting firm Integrigy. Kost gave a presentation on the Oracle quarterly patches at the Independent Oracle Users Group Collaborate conference held earlier this month in Orlando, Fla.
If an organization does not have the resources to apply all the patches post-haste, it should apply the Oracle database patches first, Kost advised. An unpatched public-facing database can be the largest vulnerability for an organization.
"Typically the database vulnerabilities are the ones with the exploits out there. They are very difficult to mitigate unless you block access to the database," he said. "The database patches are very easy to apply and have very few problems. You get a huge benefit without a lot of effort."
After the database patches are applied, only then should an organization go through the application patches to see which ones are critical to their operations and apply those as time permits. Finally, the remainder of the application patches should be rolled into the next update to the technology stack. This eliminates the time-consuming process of regression and functional testing, which is usually done during stack upgrades anyway, Kost said.
Since Oracle started bundling patches in 2005, the company has issued 897 security fixes, including 374 in its database systems. Kost estimated that there are still at least 100 open security bugs currently unfixed by Oracle, most of which are with the company's enterprise software. "At least for the next two years, there will be these security patches coming out on a regular basis," Kost said.
Typically, when a bug or vulnerability is found in an Oracle application, by either a user, a security firm or Oracle itself, Oracle's assurance group reviews the finding and then schedules it to be fixed. It then usually takes the company between three and 36 months to fix a bug, Kost estimated. The process is a complicated one because all the supported versions of the software program must be fixed, and they must be tested against all the versions of all the other Oracle programs.
A patch can span more than one release cycle, as users may find the fixed software now interacting in undesirable ways with the other applications to which it may be tied, and file bug reports to Oracle about the problem. Oracle then has to release a follow-up patch to correct this aberrant behavior as well.
One critical point to keep in mind with database patching is that even if you are not using a module that is being patched, you should still apply the patch, Kost advised. During installation, all of Oracle's optional modules are installed, even if they are not activated. A malicious user can still exploit a vulnerability in an unactivated module to access the database.
Integrigy has done a lot of security work with Oracle software and Kost has submitted over 40 vulnerabilities to Oracle. When each set of patches is released, the company posts on its Web site more detail about which patches are the most critical.
Oracle will issue the next quarterly patches on July 14 and October 13.