Survey: Two-thirds users don't deploy Oracle quarterly critical patches
If you build it, will they come?
Apparently not when it comes to Oracle's quarterly Critical Patch Updates (CPUs).
Database security firm Sentrigo released some surprising numbers Monday, culled from a survey of 305 database administrators, consultants, and developers in attendance at Oracle Users Group meetings last year.
The survey found that a staggering two-thirds of respondents had never applied an Oracle quarterly CPU. Not one, nada, a big fat zero.
And of the remaining 33 percent of survey respondents who did, only 10 percent noted they had gotten around to applying Oracle's more recent CPU, or the one before that.
"When it comes to installing the CPUs, it involves testing the applications that are running on the database. A single database may run three or four applications, or thousands of them. It takes a lot of time, and fixing a bug here, or there, in the database can affect the application," said Slavik Markovich, Sentrigo's chief technology officer.
Hopefully, database administrators will step up to the plate and take a swing at this cumbersome task, given Oracle is set to release its next quarterly Critical Patch Update on Tuesday--and we're talking 27 security patches across hundreds of Oracle products.
The upcoming CPU includes eight security patches for Oracle's database and six for its Oracle Application Server. While the database security flaws are believed to be less problematic in that the bad guys can't exploit them without such authentication as username and passwords, the Oracle Application Server security vulnerabilities aren't so lucky. These security flaws could be remotely exploited without authentication.
Despite this work ahead--or not if you're part of the group that never deploys the Oracle CPUs--one thing that you may find heartening is the 27 patches are far less than the 101 security fixes Oracle doled out in October 2006, as part of its Critical Patch Update.
Dawn Kawamoto covers enterprise security and financial news relating to technology for CNET News. E-mail Dawn. 
CEOs?
At least, they should evaluate the criticality of every patch!
What if American Airlines or Delta miss any mandatory repair and
you are flying in THAT plane?
Trouble is, trying to get management to agree to the necessary downtime and cost of the update. That's not to say that there aren't DBA's out there that don't care or don't know to do this. Overall, it seems that there is a general lack of prioritization in the corporate world. Computer maintenance is at the bottom of the list of "things to do". If a manager can't state 100% uptime, then they don't authorize the work. If a DBA responds honestly that the downtime will be held to a minimum but, due to circumstances beyond their control, the downtime could exceed the estimate, then they are not authorized to take the system down. Even if there is no downtime but the threat of downtime exists, you hit the wall.
Again, that's not to say that there aren't managers out there that know to do the right thing, but in today's performance bonus driven world, its shocking how many companies will "roll the dice" on security. Unfortunately, when the stuff hits the fan, the DBA is still blamed for not providing the necessary support.
So let's not blame the DBA's entirely. Management has to actually practice what they "preach" during their BS bingo sessions.