Pete Finnigan's Oracle Security Weblog

OK, its not Oracle database security but its big news and it is from Oracle. Oracle have recently released an out of band Java security patch which supposedly fixed serious security flaws; then a few days ago the guys at Security Explorations who reported the bugs said that Java is still vulnerable and the fix didn't patch the hole entirely. There have already been phishing attempts with fake Amazon order emails and others exploiting these bugs.

Back to the database; doesn't this attempt to fix Java sound like what was happening with Oracle database fixes 6 or 7 years ago. We all would have to say that the database CPU, patches, fixes and more are getting much better than they were in the bad old days of alerts such as the monster alert 68 and we are all aware that. This is good of course. The topics of conversations a few years ago (4 years at least) for instance at the Oracle Security round table at the UKOUG conference were always focused around CPU's and bugs, I remember one round table where the talk around the group was almost exclusively about bugs/hacks and of course fixes. Even just talking to people out at clients or conferences or anywhere really the talk aways degenerated to CPU's and bug fixes BUT I really feel that has changed now and people are focusing more on actual data security and not just patches. This is good. We also know of Oracles efforts at teaching staff about secure coding and their use of code analysers mentioned in old blog posts so we know for the database there has been a concerted effort to get better.

When i read the stuff about the Java fix and the patch not properly fixing the bugs (see links above) it so reminded me of the old database days and i made a note to blog about it. I did a quick dig and found a post "A Decade of Oracle Security" quoting David Litchfield; scroll down the linked page to 2005, January 6 and see what David is quoted as saying on BugTraq; sounds very familiar!

Deja-Vu?