I just found two more news stories about the Gartner report that I wrote about earlier. The first is on TechWeb - It doesn't have an author indicated. It goes into detail about the main thrust of the Gartner analysts report that Oracle have been taken to task for not telling its customers which versions and which products are most vulnerable and also that DBA's and administrators do not have enough information to decide what to patch and which databases are most vulnerable.
I can concur this sentiment as I have had a number of companies ask me how to decide whether their Oracle 7 and 8.0 databases are vulnerable or not and what can be done about it as upgrading is often not realistic. One key message being given on TechWeb and in the original Gartner report is that customers should put pressure on Oracle for more information.
The second article also about the Garnter analysts report is on vnunet. This report covers similar ground and advises that customers review the Alert 68 FAQ regularly, apply the patches, upgrade if possible and set up deep packet inspection if possible or even intrusion detection systems.
Both papers emphasise the issues raised by the Gartner analysts.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Oracle Users Should Take Security Patch 68 Seriously"] [Next entry: "Oracle announce critical patch update schedule - beginning January 18 2005"]
November 2004
- Another good paper by Howard Rogers on read-only tables - 11/01/2004 by 11/01/2004
- The 9.2.0.6 patch set is out - 11/02/2004 by 11/02/2004
- Nice four part paper on label security by Jim Czuprynski - 11/03/2004 by 11/03/2004
- Howard Rogers has a new ebook out - 11/04/2004 by 11/04/2004
- Patrik Karlsson releases OScanner - A new free Oracle security vulnerability scanner - 11/05/2004 by 11/05/2004
- Post on ORACLE-L : Exploring Oracle November 2004 and REMOTE_OS_AUTHENT - 11/06/2004 by 11/06/2004
- Two great papers and tools by Tim Gorman - 11/07/2004 by 11/07/2004
- A lot of new pages on my site - 11/08/2004 by 11/08/2004
- A new Oracle default password checking tool is available - 11/09/2004 by 11/09/2004
- Small update to the default password check scripts - 11/10/2004 by 11/10/2004
- Colin Maxwell talks about securing web services using JDev and WS-Security - 11/11/2004 by 11/11/2004
- Hack notes books - 11/12/2004 by 11/12/2004
- Interesting discussion on DBMS_SUPPORT versions - 11/13/2004 by 11/13/2004
- Exploits and blog software - 11/14/2004 by 11/14/2004
- Default password lists and updates - 11/15/2004 by 11/15/2004
- 600 Oracle default usernames/passwords available - 11/16/2004 by 11/16/2004
- Two more takes on the Gartner / Oracle exploit information release reluctance - 11/17/2004 by 11/17/2004
- An interesting case of information disclosure - 11/18/2004 by 11/18/2004
- Three more news sites are talking about the new patch schedule - 11/19/2004 by 11/19/2004
- More news on the new patch schedule - 11/20/2004 by 11/20/2004
- Frank Nimphius talks about showing/hiding UIX components based on isUserInRole() - 11/21/2004 by 11/21/2004
- Amis blog - shows how to create a certificate and configure OC4J to use it - 11/22/2004 by 11/22/2004
- Oracle secalert_us have sent out emails to tell some customers about the quarterly patch schedule - 11/23/2004 by 11/23/2004
- And still more news stories - 11/24/2004 by 11/24/2004
- Colin Maxwell talks about reducing the scope for encryption - 11/25/2004 by 11/25/2004
- James Morle's book is available as a free pdf - 11/26/2004 by 11/26/2004
- Edward Stangler talks about running catpatch - 11/27/2004 by 11/27/2004
- Looks like 9.2.0.6 is available on more platforms now - 11/28/2004 by 11/28/2004
- A good list of Oracle security check items - 11/29/2004 by 11/29/2004
- Edward Stanglers next post in the not running catpatch.sql series - 11/30/2004 by 11/30/2004
Archives
Syndication
Powered by gm-rss 2.0.0
