Survey: Two-thirds users don't deploy Oracle quarterly critical patches

If you build it, will they come?

Apparently not when it comes to Oracle's quarterly Critical Patch Updates (CPUs).

Database security firm Sentrigo released some surprising numbers Monday, culled from a survey of 305 database administrators, consultants, and developers in attendance at Oracle Users Group meetings last year.

The survey found that a staggering two-thirds of respondents had never applied an Oracle quarterly CPU. Not one, nada, a big fat zero.

And of the remaining 33 percent of survey respondents who did, only 10 percent noted they had gotten around to applying Oracle's more recent CPU, or the one before that.

"When it comes to installing the CPUs, it involves testing the applications that are running on the database. A single database may run three or four applications, or thousands of them. It takes a lot of time, and fixing a bug here, or there, in the database can affect the application," said Slavik Markovich, Sentrigo's chief technology officer.

Hopefully, database administrators will step up to the plate and take a swing at this cumbersome task, given Oracle is set to release its next quarterly Critical Patch Update on Tuesday--and we're talking 27 security patches across hundreds of Oracle products.

The upcoming CPU includes eight security patches for Oracle's database and six for its Oracle Application Server. While the database security flaws are believed to be less problematic in that the bad guys can't exploit them without such authentication as username and passwords, the Oracle Application Server security vulnerabilities aren't so lucky. These security flaws could be remotely exploited without authentication.

Despite this work ahead--or not if you're part of the group that never deploys the Oracle CPUs--one thing that you may find heartening is the 27 patches are far less than the 101 security fixes Oracle doled out in October 2006, as part of its Critical Patch Update.