Pete Finnigan's Oracle Security Weblog

I attended Tom Kytes keynote last night at the UKOUG and, like everyone there was interested to learn as much I could about Oracle Express edition, the new free cut down version of Oracle 10gR2 leaked on blogs last week and officially announced last night by Tom. Tom's speech was excellent mostly due to showing my web site and blog posting on this subject on the big screen at the beginning along with some other bloggers sites. Only kidding Tom, the speach was great, a free version of Oracle is the best news.

At the end of Toms speech I asked a question. "Will we get critical security patches for Oracle?". Tom's answer was that "off the record" he is pushing for it but its not decided internally. In fact he told me top blog about the issue here! I pointed out aftert Tom's answer that XE is likely to become very widely deployed on peoples desktop PC's, websites and many more. This. with the explosion of broadband useage effectively means more Oracle databases will be exposed to the world wild web. I pointed out as the number of Oracle instances grows the likelyhood of a slammer type worm grows. In fact I talked here yesterday about someone releasing a concept code for an Oracle worm on the full disclosure list. Whilst this worm did not do much a real one could follow brought on by wide deployment.

In security terms the attack surface will increase. For people who know a lack of patches can be worked around by not exposing the database but most people will download it or get it as part of another application and will not be aware and could expose the software. If critical bugs are found and become publically known everyone who downloads or deploys XE deserves recourse to security patches. Ideally XE would be included in the CPU updates and patches made available not via metalink.

Please Oracle, give us free access to security patches for XE!!