Pete Finnigan's Oracle Security Weblog

The latest CPU (Critical Patch Update - read security bug fixes) from Oracle is out. The CPU came out last night, as usual on the second Tuesday of each quarter. The CPU is much more of the the same; I think the two key things we can see from this CPU is that there is an ongoing trend of less fixes for the database. To be honest we need to monitor the changes to numbers over a longer period but the trend does seem to be lowering.

The second thing to note is that there are a lot more new names credited on this CPU. This is interesting; it means that whilst some of the normal "security" names are still there there are a lot of new names; does this mean we have more Oracle security researchers (i.e. people just concentrating on Oracle) - I think, No; I think we are starting to see a change to the more mainstream in that other people are now thinking about security, noticing security issues and reporting them to Oracle. Is this good - yes, is it bad for Oracle, in that more people will find bugs? - no, it has to be good that people are starting to take security of data more seriously.

And the third thing (OK, i said two, this is a bonus!), is that whilst there are less database and app server bugs in terms of trend there are 9 bugs in Oracle secure backup all with a risk of 10.0 (only for Windows, for Linux its 7.5), this signifies a "new target" for researchers. Considering that the database itself has been a target for a long time, will all the new products and features attract a large number of bugs going forward? - a delayed trend? - also as we have said it seems that security bugs are mainstream now and also people are aware of data security much more.

Oracle's advisory Oracle Critical Patch Update Advisory - January 2009 is available.