(This) shows Oracle can no longer be considered a bastion of security. Database and application managers must begin protecting and maintaining Oracle systems more aggressively.

The range and seriousness of the vulnerabilities patched in this update cause us great concern. The database products alone include 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access. Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur.

Moreover, patching is sometimes impossible, due to ties to legacy versions that Oracle no longer supports. These practices are no longer acceptable.

Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet.

Manufacturers have the option to keep their process control system separate. We do not recommend giving a manager a desktop machine to do e-mail while that person is managing the production network, because one slip up and you can give somebody outside the company control of the system.

The information provided with the [Oracle] patches is limited, making it more difficult for organizations to protect themselves from possible attacks. Oracle applications are typically used in environments that are more sensitive than a Windows desktop, and they are more mission-critical.

We recommend that users shield themselves before addressing vulnerabilities, but in this case they can't apply a shield and are exposed to possible attack until the patch is applied.

We've since updated this assumption and now predict that by the second quarter of 2006, 85 percent of large enterprises will have initiated encryption projects.

I think we're doing a moderate job and relying a little too much on databases historically being deeper within the enterprise. Some examples of really bad practices are static passwords stored in clear text in applications and batch jobs, shared administrative accounts, no controls on DBA activity, etc. We can definitely be doing better.