Many Oracle Users Don’t Apply Security Patches

Perhaps this applies to ore than Oracle users?
Sybase? MySQL?
Perhaps even Linux!

Slavik Markovich, chief technology officer of Sentrigo, a database
security firm, said he’s been making presentations at Oracle Users
Groups around the U.S. since August, and at each one he asks for a show
of hands on how many attendees have adopted one of the two most recent
Oracle Critical Patch Updates. He also asks how many have adopted at
least one update since Oracle started issuing them.

Starting with the Capital Area Oracle User Group in Reston, Va., the
answers that he’s gotten have surprised him. At that meeting last
August, two out of 40 attendees said they had installed one of the two
latest patches; 15 said they had installed at least one patch in the
four years of the program. That left 62.5% who had not installed any
patches since the program began in November 2004.

And the effect of this?

“That leaves many databases vulnerable to what are now publicly known vulnerabilities.”

I think we could have guessed that.
The issue is did the people in the organizations that run un-patched systems think about that, think about the consequences of that.

Probably not.
All the studies I’ve read indicate that the ‘high performers’ not only follow though on security procedures like this, but have proactive monitoring (e.g. IDS, log file scanning) and proactive response procedures. The people who don’t bother to patch will in all likelihood not even know if they have been hacked unless the hack has catastrophic results. If the hacker was subtle and just did some identity theft, small-but-many financial theft, then the database owner might never know.

So: When did you …

  • last update ..
  • your OS
  • your browser
  • your database
  • last scan your logs
  • Enquiring minds want to know, and many of them belong to malicious hackers.

    About the author

    Security Evangelist

    Leave a Reply