Dark Reading: Recently, security researchers have been complaining that Oracle has been too slow to patch its database software, leaving customers vulnerable to attacks. “I would say easy fixes get done pretty quickly, within three to six months, but things that are harder and need some changes in architecture or have an impact on customers where customers have to make some changes to their products, to their software that uses the databases, those things don’t get done in the CPU,” says Application Security’s Alex Rothacker. “We have a vulnerability disclosed where basically we can brute force any users password and we reported this two years ago and they haven’t fixed it yet.”
Oracle has been putting out fewer critical security patches lately, but researchers say that isn’t because the software has fewer vulnerabilities. “They respond immediately and say ‘Thank you very much for the information’ and so on, but it sometimes takes more than a year to actually release a patch,” says McAfee’s Slavik Markovich. “I get the feeling that they don’t invest enough or have enough people working on this so it takes a long time to patch.”