By Joris Evers
Staff Writer, CNET News.com
January 11, 2007
Following Microsoft's lead, business software giant Oracle is now giving
system administrators a heads-up on its upcoming security patches.
As part of its quarterly patch cycle, Oracle on Tuesday plans to release
fixes for 52 security vulnerabilities across its products, the company
said in a note on its Web site Thursday. Some of the bugs are serious
and could allow a system running the vulnerable Oracle software to be
compromised remotely by an anonymous attacker, it said.
It is the first time Oracle has offered such advance notification.
Microsoft has been giving customers a similar early warning since late
2004. Both companies have put their patches on a schedule so customers
know when to expect them. The additional heads-up is meant to allow for
"This is something customers have asked us for," Darius Wiles, Oracle's
senior manager of security alerts said in an interview Thursday. "They
want a heads-up of what's coming so they can line up their operations
staff to apply the patches."
Oracle's advance notification goes further than Microsoft's, which only
states the product family for which patches will be released and gives
broad indication of bug severity. Oracle also lists the number of
vulnerabilities it plans to patch and details which products and
components will get patches.
"The reason we included the components is because the customer may not
be affected by certain vulnerabilities if they have not installed
particular components," Wiles said.
Oracle is definitely a copycat, but it is copying a best practice, said
John Pescatore, an analyst with Gartner. "It is a good idea," he said.
"Microsoft has a lot of experience with issuing patches and dealing with
what enterprises need to try to reduce the pain of patching."
Microsoft was also first with putting patches on a schedule in 2003, an
example Oracle followed beginning in 2005. "I am not entirely surprised
that we're seeing a convergence in the way different vendors are
approaching security patch delivery," Wiles said.
Oracle, of late, has been more candid about its security update process.
Its October quarterly update, which included fixes for 101
vulnerabilities, for the first time included severity ratings. In that
update, Oracle also indicated which bugs could be exploited over the
Internet by anonymous attackers and added a summary of the security
problems for each of its product categories.
Oracle's Tuesday "Critical Patch Update" is planned to include 27 fixes
for Oracle database products, 12 for Application Server, seven for
E-Business Suite, six for Enterprise Manager and three for PeopleSoft,
according to Oracle's early warning note.
Subscribe to InfoSec News