Database Administrators: Losing the Patch Race?

4:10 PM -- One of the great ironies of patch management is that a vendor's release of a "security patch" often initiates a race between attackers and IT people. IT races to implement the patch before the vulnerability can be exploited; security researchers, good and evil, race to reverse engineer the patch, exposing the vulnerability it fixed and creating exploits to take advantage of it.

In the midst of this great race, you would think that administrators of mission critical systems -- especially database servers -- would never choose not to apply patches that could protect them, right?

Wrong. On Monday, Sentrigo, a database security solution provider, released the results of a survey which indicates that 62.5 percent of Oracle database administrators haven’t installed any Oracle Critical Patch Updates (CPU). The survey is based on more than 300 interviews with Oracle DBAs conducted by Sentrigo’s CTO Slavik Markovich at Oracle user group meetings around the United States.

Considering that database servers often contain the most sensitive information in the organization, how can the majority of DBAs fail to install patches? Do they think that the almighty Oracle database server is unhackable?

Unlikely. Ironically, the real reason they don’t patch is because the database server is so important. If a system is so critical that patching it could cause a service outage leading to a loss of business, management is likely to say, "Don’t patch." Even when the security engineer explains the potential for exploitation, I can hear management respond, "Well, it’s your job to prevent that from happening."

The report was timely -- Oracle released its latest CPU, containing 27 security fixes, just a day after the report was released. Will the report spur DBAs to implement the fixes to their production systems? It’s impossible to say. But you can bet that the attackers have read it -- and are already racing to develop exploits against the vulnerabilities they can uncover from yesterday’s CPU.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading