Stephen Kost, chief technology officer at security vendor Integrigy, noted that IT managers must also deal with Oracle's continuing reluctance to release full details of the flaws it is patching. Unlike Microsoft and other vendors, which release detailed information on each flaw and their patches, Oracle simply releases patches and offers little data on the flaws.
"One piece of information that Oracle does not release is what should be tested when I apply the patch," Kost said. "What should I be testing from a functional perspective; what might I break? Right now I don't know,"
According to Kost, while most of the flaws in Oracle's core database may have been addressed in recent security updates, the number of flaws in ancillary technologies such as Oracle Database Vault and Oracle Audit Vault are not quickly patched. "Products that are supporting the Oracle database are the places where you find problems. That doesn't lessen the risk," but just moves it to another place, he said.
Sign up for Computerworld eNewsletters.