Oracle's "Dare" Backfires

The vulnerabilities run across multiple modules and functions. The database products have holes in the Database Server and Listener elements, and these don't even require a valid user account to exploit. Oracle Application Server is similarly vulnerable in its Portal and iSQL*Plus components. Oracle Enterprise Manager's holes are somewhat less severe--they can be exploited only by those with a valid OS-level user account--but other Oracle products, such as Oracle Collaboration Suite and E-Business Suite 11i, will necessitate full patching of their underlying database server and application server components. With no work-arounds available, Oracle recommends applying patches immediately.

It's hard not to see the Oracle problems as comeuppance for Ellison's 2001 "unbreakable" speech, which painted a big fat target on Oracle's product line. A challenge to bring it on may make a good sound bite, but it's an extremely bad idea. Every system has vulnerabilities, and to claim otherwise smacks of stupidity, arrogance or an unwise PR stunt. Since Ellison is widely known to be brilliant, we're left with hubris or PR.

Oracle's patches may plug this set of holes, but should users consider switching vendors? In a word, no. Although this recent bundle of vulnerabilities is indeed serious, Oracle's overall record for security issues--though far from Ellison's claims of perfection--is still good. Oracle's problems don't run nearly as deep and wide as Microsoft's, and there's no mass exodus from SQL Server or Windows.

IT managers should give careful scrutiny to their security staff, infrastructure and patching procedures. Keeping up with OS and application patching is absolutely essential. It's not a question of whether your organization will be targeted by hackers or criminals, but when.

Must reads