Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur.

The range and seriousness of the vulnerabilities patched in this update cause us great concern. The database products alone include 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access. Oracle...

We recommend that users shield themselves before addressing vulnerabilities, but in this case they can’t apply a shield and are exposed to possible attack until the patch is applied.

(This) shows Oracle can no longer be considered a bastion of security. Database and application managers must begin protecting and maintaining Oracle systems more aggressively.

Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet.

Manufacturers have the option to keep their process control system separate. We do not recommend giving a manager a desktop machine to do e-mail while that person is managing the production network, because one slip...

I think we’re doing a moderate job and relying a little too much on databases historically being deeper within the enterprise. Some examples of really bad practices are static passwords stored in clear text in...

Moreover, patching is sometimes impossible, due to ties to legacy versions that Oracle no longer supports. These practices are no longer acceptable.

We’ve since updated this assumption and now predict that by the second quarter of 2006, 85 percent of large enterprises will have initiated encryption projects.

The information provided with the [Oracle] patches is limited, making it more difficult for organizations to protect themselves from possible attacks. Oracle applications are typically used in environments that are more sensitive than a Windows...