Oracle announced its patch updates, including 254 security fixes along its product families, according to the company's April 2018 Patch Advisory. The company released a unique Critical Patch Update in January following the Spectre and Meltdown vulnerabilities disclosure.
Customers who failed to update vulnerabilities with already available patches are still experiencing attacks, according to the company. Customers who "failed to apply" the available patches became victims of successful exploit campaigns.
Oracle's Patch Advisory comes a day after its Chief Security Officer Mary Ann Davidson said that customers should know what they're getting from providers and "demand better assurance" at the RSA Conference in San Francisco Wednesday.
"Checkbox-based security" is not fundamentally working anymore, according to Davidson. It's no longer the most secure method of cybersecurity, in part due to how fragmented the threats on a system are.
Software and hardware vulnerabilities add to this headache because the former can be constantly patched by its provider, whereas hardware demands a deeper investigation.
Hardware's trustability is rooted in the integrity of each physical piece it's made of and the manufacturers who provide them. But once one providers' flaws are exploited, it puts the rest of the system at risk.
This was seen in the Meltdown and Spectre vulnerabilities. Because of flaws in computer chips, including mostly Intel chips, software companies like Oracle were forced to offer their own remediations as well.
As attacks on the supply chain are expected to continue, monitoring when a vendor announces its patches is crucial to basic cybersecurity hygiene.
Davidson noted that Oracle has not always been so transparent about its updates, leaving some customers to feel that they were not provided the tools needed to prevent an attack. However, patches were readily available, they were just not as publicized, and she recognized the frustrations associated with that.
Oracle has since tried to improve how it notifies customers of a potential risk, but customers should ask only targeted questions in terms of cybersecurity, according to Davidson. How risk assessment execution should be limited to the impact on a customer's individual business, instead of the attack as a whole.
This will help better sculpt security concerns between customer and provider and therefore strengthen defense.