Industry analysts revealed that it has become harder for Oracle to tackle database flaws due to an increased emphasis on acquired products. Oracle is currently handling a vast portfolio of products and this had led to a delayed response in catering to database vulnerabilities. Only six patches for security flaws in the company’s flagship database products were included in Oracle’s quarterly security updates released recently. The other sizeable 60 patches released were to fix bugs in Sun Microsystems acquired products, Oracle’s Fusion middleware technologies, supply chain and CRM software.

Alex Rothacker, Director of security at Application Security Inc.’s Team Shatter vulnerability assessment group believes that releasing few database patches doesn’t mean that Oracle Technology’s security has improved. Rothacker’s team of researchers identified three of the six database flaws that were addressed with the 6 updates.

Rothacker states that Oracle doesn’t have the capability to address and fix all the Oracle database flaws that have been identified and reported. He adds that several security flaws discovered by AppSec haven’t still been addressed by Oracle. It doesn’t mean that Oracle can’t fix the flaws but it has shifted priorities from the core database function to other products. Oracle is struggling to keep up with patches as it has spread itself thin.

Oracle representatives haven’t gotten back with comments to queries about why only 6 patches were released to fix database flaws. Amichai Shulman, Chief technology officer at databasese curity vendor Imperva points out that Oracle came up just 9 database patches in the previous release after acquiring Sun Microsystems. Shulman adds that the acquisition of several products from vendors like Sun has created a bottleneck in the patching process leading to severe delays. Their figures of released patches in the past are quite impressive compared to current figures. Compared to the 70 patches in 2007, 53 patches in 2008 and 54 patches in 2009, Oracle has
released just 32 patches in 2010.

Shulman says that while he would like to believe that Oracle is dealing with the problem, it may not be happening. He knows of several security researchers who are waiting to hear from Oracle after reporting security vulnerabilities. Stephen Kost, Chief Technology officer at security vendor Integrigy reveals that Oracle hasn’t been providing complete details of the flaws of the patches it has been offering and this will make the job of IT managers difficult. Detailed information on the flaw and the patches is offered by other vendors like Microsoft.

Kost says that Oracle isn’t providing information on what should be tested and this lack of information is making functional testing hard. While Oracle is addressing flaws in Oracle’s core database, patches to correct flaws in support technologies like Oracle Database Vault and Oracle Audit Vault aren’t coming in quickly. Kost concludes that the areas where problems are located are in the products that support the Oracle database and these products don’t decrease the risk but just transfer it someplace else.