Safe Databases Are Key to Security
September 10, 2004
Oracle rates the severity of many of these vulnerabilities as Level 1, its highest level. There are no work-arounds; Oracle recommends applying available patches immediately. (Please test your patches before sending them to production servers!) Go to www.oracle.com/ for details.
Oracle reportedly sat on both the vulnerabilities and patches before releasing them. In an interview after the Black Hat Briefings convention in July, David Litchfield, managing director of U.K. vendor Next-Generation Security Software, said he had notified Oracle of 34 vulnerabilities early in the year. Oracle fixed those holes a couple of months ago, he said, but then waited to release the fixes as it was transitioning to a monthly patch update cycle. Incidentally, this release cycle is now the same as Microsoft's.
What's at Stake
As Richard Hoffman notes in our Buzzcut, there's no such thing as unbreakable software, no matter what Oracle or any other vendor says. Any application attached to a network has vulnerabilities--most just haven't been found yet. At the same time, your database administrator better have limited database access to only those people and applications in need of it.
Fact is, our most important information is stored in databases. Customer information. Financial data. Research results. We build complex applications that access this information, often through app servers that sit on the Web. Who cares about getting the keys to the kingdom via OS access when intruders can just as easily go directly for the database gold?
Page: 1 | 2 | 3 | Next Page »
