Oracle's Security Luck Runs Out
Oracle customers may be experiencing security déjà vu.
On August 31 the company warned of database security holes and released a patch. This morning it told customers that those same holes need immediate attention and strongly advised them to install the patch.
The more urgent warning was issued after Oracle discovered that hackers have been active in exploiting the database holes.
Failure To Communicate
Why didn't the message get through the first time?
Many customers either didn't receive the August communication or failed to act on it because they didn't know if their specific products were affected.
To avoid inviting more attacks, Oracle has provided few details about the holes or which software is affected. Patching is time-intensive, and many companies chose not to install patches they weren't sure they needed.
Database 8i, 9i and 10g, Application Server and Enterprise Manager are thought to be susceptible, but that list is not exhaustive.
"I think there's a communication problem at Oracle," said Noel Yuhanna, senior analyst with Forrester Research. "They haven't clearly specified what needs to be done [and] what databases are affected, [nor have they revealed] the seriousness of this."
Months of Fixes
Yuhanna told CRM Buyer that he has received concerned calls from clients who use Oracle products, inquiring as to whether their desktop software, supported by Oracle databases, will be affected by the security flaws.
"Some of these clients have thousands of databases, and this isn't something that can be fixed in one month's time even," he said.
In order to avoid the problems that left Microsoft's SQL stuck in security incident response mode only two years ago, "Oracle needs to push this information down through top management that these are really important flaws to correct," he said.
New Problem for Oracle
"Oracle has never dealt with this kind of situation in which it has had a flaw in security that covers a wide range of its software," he continued. "Customers obviously are complaining."
Yuhanna said that Oracle has been lucky. It has become well known for the security features inherent in its products, so much so that with the recent release of Database 10g, "it was more focused on making a world-class software with all of the bells and whistles." Attention to security was neglected.
"This is a wake-up call to Oracle to take security more seriously," he said. "Oracle will come back," he predicted, but not until it learns that "all software products are vulnerable to security flaws."