Freely subscribe to our NEWSLETTER

A few hours ago, Oracle released its latest round of security patches. Would you like to speak to Amichai Shulman, CTO of Imperva about his views on these updates. Some highlights from this release and thoughts from Amichai are below:

· “A relatively small patch with 38 vulnerabilities being fixed. However it is one of the most serious ones ever. Six of the database vulnerabilities can be remotely exploitable without authentication while three of the vulnerabilities scored a 10 out of 10 in the Common Vulnerability Scoring System (CVSS). A 10 means hackers gain full control of the database through network access without any authentication—accessing or even changing whatever data they want. I do not recall a 10 rated database vulnerability since Oracle started their quarterly releases.”

· “Additionally, there are three vulnerabilities that scored 6.5 out of 10 in the database server. One of these significant vulnerabilities, for example, came about because Oracle failed to fix the root cause for another vulnerability uncovered in October 2008,” explained Shulman referring to vulnerability number CVE-2009-2001 which was reported by Imperva a year ago but Oracle failed to fix the root cause, leaving a way to successfully attack the database with a buffer overflow. “It shows that the fix applied by Oracle was local rather than in depth.”

· “Between the security patches released by Microsoft last week and Oracle today, we see inherent limits of the software debugging process. Oracle has been investing significant resources in secure coding practices with its software development life cycle process. Yet in the past year, the number of vulnerabilities and their severity continues to grow giving us an excellent perspective about the inherent limitations of SDLCs as the first and last line of defense when it comes to protecting data.”