It is funny.  As people get more used to patching operating systems they seem to think that makes them bullet proof on the whole system, yet this is simply not the case.  With Microsoft products people are used to patching them as needed to reduce the security risks on their systems.  Others will sight that their systems are already secure and therefore don't need patching.  I remember a few years ago watching the outcome of a Hackathon and the losing team lost not because of the OS security, but because of the application on top of it being unpatched and insecure.

If you have an application that uses Oracle, check it is being patched and secured as in a single month Oracle have been known to release 40+ patches.

Now before you go and pat yourself on the back for being so good at not having any Oracle systems, you might need to check your Windows applications are also patched.  Fro the Windows patch story, look at One-fifth of Windows apps go unpatched - down from 28% last May, but still need to be careful

Survey: Most Oracle professionals don't patch

Tom Espiner ZDNet.co.uk

Two-thirds of Oracle Database professionals are not applying critical patches, security company Sentrigo has found.

In a survey of 305 Oracle professionals, Sentrigo found the majority did not apply the Oracle patches released in Oracle Critical Patch Updates. This leaves users' databases open to compromise, according to analyst company Canalys.

When asked at various US Oracle User Group meetings last year, the Sentrigo survey found 67.5 percent of respondents said they had never applied any Oracle critical patches, and 90 percent said they had not applied the latest set of patches in the Critical Patch Update, which was released in October 2007.

Users cited concerns over downtime and compatibility with applications as reasons not to patch.

"On the face of it, these survey results look alarming," said Andy Buss, senior Canalys analyst. "Not patching can leave companies open to compromise. Companies need to get into the routine of testing and applying patches, for the sake of compliance."

Compliance issues can arise if companies are subject to regulations such as PCI DSS (Payment Card Industry Data Security Standard), where non-compliance can result in fines, or Sarbanes-Oxley, where weaknesses in security controls in systems such as Enterprise Resource Planning can lead to "consequences" for C-level officers, said Buss.

Oracle periodically releases patches in the form of Critical Patch Updates. The next Oracle Critical Patch Update is due to be released on Tuesday 15 January, and in a pre-release announcement, Oracle warned that this update will contain "27 security fixes across hundreds of Oracle products". Some of the vulnerabilities to be addressed in the Critical Patch Update affect multiple products, Oracle added.

Products affected include versions of Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager Grid Control, Oracle PeopleSoft Enterprise PeopleTools and Oracle PeopleSoft Enterprise Human Capital Management. Ten of the 27 vulnerabilities to be addressed may be exploited remotely without authentication, said the pre-release announcement.

Buss said that companies should patch vulnerabilities identified by the manufacturer, list updates to work out if they need to be installed, and instititute a timed procedure to test and update necessary patches.

However, there are also ways of mitigating the risk of compromise without patching, said Buss. Companies can deploy technologies that monitor data flows between database servers and hosts on the network, and inspect traffic for anomalies. Organisations should also build network architecture that doesn't allow PC traffic to go into the data centre, said Buss.

Survey: Most Oracle professionals don't patch - ZDNet UK

Some of the concerns in the article are things like "don't patch to avoid downtime" - why, being hit by a security flaw will generate a huge amount of downtime - when you realise your inpacted.  Monitoring traffic to look for concerns - again, too late if you monitor - just in time if you pass through rather than sit on the outside.

ttfn

David