At Oracle OpenWorld this week, company execs spent a good chunk of their stage time talking about security. Executive chairman Larry Ellison, for example, extolled the security virtues of Oracle’ s (ORCL) new M7 microprocessor, which he said bakes software security features from the latest release of its Oracle database right into the silicon.
Ellison mentioned several times that security problems arise because customers either do not enable the software’s security features or intentionally switch them off. That ability, however, will not be an option with the M7 since “we turn it on and you can’t turn it off,” he told show attendees.
The remarks come just weeks after Oracle,(ORCL) which had no comment on this story, released an eyebrow-raising set of 154 security fixes in a Critical Patch Update covering many of its key products. It is particularly important with this update that customers implement right away because the update includes “a number of fixes for very severe vulnerabilities,” according to a blog post about the update.
An IT consultant who works with federal agencies on Oracle implementations said this update was nothing short of a scandal because Oracle’s “entire product fleet was affected: pretty much every database, middleware web and app server. Everything,” said the specialist who requested anonymity because he works with the company’s customers.
Some of the vulnerabilities could give uncredentialed hackers the ability to remotely execute operations. In theory, that means a random-but-code-savvy Joe Shmoe with access to the Internet could run database queries on your business system, or even change data values. “That’s bad,” the consultant said.
The gnarly issue of patching software is not unique to Oracle, but because the company has made a point of calling its own products “unbreakable,” it pretty much put a bullseye on its own back. Hackers love a good challenge after all.
Gartner (IT)research director Lawrence Pingree said technology providers have to issue patches promptly to keep customers safer from data breaches. “It is quite well known in the security industry that one of the best ways to avoid a data breach is to simply make sure you are deploying patches quickly,” he said via email.
But, although patch updates are standard operating procedure, Oracle is in the spotlight because so many customers use the company’s databases and financial applications to run their businesses, which leaves little room for tolerance or error. We’re not talking about Candy Crush here.
It also doesn’t help that many corporate customers have come to resent Oracle’s technical support and maintenance fees. If you’re paying 22% of your license cost to stay supported, you have high expectations when it comes to security.
Meanwhile, it probably did not help Oracle’s relationships when in August Mary Ann Davidson, Oracle’s chief security officer, took to her blog to chastise corporate customers for performing their own security tests on company software. In the post she even noted that such tests could violate their licensing agreements. The blog was quickly pulled down and Oracle backed away from her claims.
Never ones to let a good crisis go to waste, tech companies are using these security woes to push customers to move to what they’re painting as cloud Nirvana. As Oracle CEO Mark Hurd stressed during his keynote, most enterprise applications are now 20 years old—that’s a lot of legacy code that needs to be maintained, bolstered, and updated. Oracle’s new pitch is for customers to move to the cloud—Oracle’s cloud of course. “We are fully patched, fully secured, fully encrypted,” Hurd noted.
For more on data security from industry leaders including Arlette Hart, the chief information security officer of the FBI, be sure to check out the Structure Conference next month.
Follow Barb Darrow on Twitter at @gigabarb. Read her Fortune coverage at fortune.com/barb-darrow or subscribe via her RSS feed.
And please subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.
