Around 70 percent of Oracle database professionals say they have never applied a security patch, according to database security firm Sentrigo.
In a survey of 305 Oracle professionals, Sentrigo claims the majority did not apply the Oracle patches released in Oracle Critical Patch Updates. This leaves users' databases open to compromise, according to analyst company Canalys.
When asked at various US Oracle User Group meetings last year, the Sentrigo survey found 67.5 percent of respondents said they had never applied any Oracle critical patches, and 90 percent said they had not yet applied patches from the most recent Critical Patch Update, which was released in October 2007.
Users cited concerns over downtime and compatibility with applications as reasons not to patch.
"On the face of it, these survey results look alarming," said Andy Buss, senior Canalys analyst. "Not patching can leave companies open to compromise. Companies need to get into the routine of testing and applying patches, for the sake of compliance."
Compliance issues can arise if companies are subject to regulations such as PCI DSS (Payment Card Industry Data Security Standard), where non-compliance can result in fines, or Sarbanes-Oxley, where weaknesses in security controls in systems such as Enterprise Resource Planning can lead to "consequences" for C-level officers, said Buss.
Oracle periodically releases patches in the form of Critical Patch Updates. The next Oracle Critical Patch Update is due to be released on Tuesday 15 January, and in a pre-release announcement, Oracle warned that this update will contain "27 security fixes across hundreds of Oracle products". Some of the vulnerabilities to be addressed in the Critical Patch Update affect multiple products, Oracle added.
Products affected include versions of Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager Grid Control, Oracle PeopleSoft Enterprise PeopleTools and Oracle PeopleSoft Enterprise Human Capital Management. Ten of the 27 vulnerabilities to be addressed may be exploited remotely without authentication, said the pre-release announcement.
Buss said that companies should patch vulnerabilities identified by the manufacturer, list updates to work out if they need to be installed, and institute a timed procedure to test and update necessary patches.
However, there are also ways of mitigating the risk of compromise without patching, said Buss. Companies can deploy technologies that monitor data flows between database servers and hosts on the network, and inspect traffic for anomalies. Organisations should also build network architecture that doesn't allow PC traffic to go into the data centre, said Buss.