[Infowarrior] - Oracle offering early warning on security fixes

[Richard Forno]

Oracle offering early warning on security fixes

By Joris Evers
http://news.com.com/Oracle+offering+early+warning+on+security+fixes/2100-100
2_3-6149632.html

Story last modified Thu Jan 11 16:46:10 PST 2007


Following Microsoft's lead, business software giant Oracle is now giving
system administrators a heads-up on its upcoming security patches.

As part of its quarterly patch cycle, Oracle on Tuesday plans to release
fixes for 52 security vulnerabilities across its products, the company said
in a note on its Web site Thursday. Some of the bugs are serious and could
allow a system running the vulnerable Oracle software to be compromised
remotely by an anonymous attacker, it said.

It is the first time Oracle has offered such advance notification. Microsoft
has been giving customers a similar early warning since late 2004. Both
companies have put their patches on a schedule so customers know when to
expect them. The early warning is meant to allow for extra preparedness.

"This is something customers have asked us for," Darius Wiles, Oracle's
senior manager of security alerts, said in an interview Thursday. "They want
a heads-up of what's coming, so they can line up their operations staff to
apply the patches."

Oracle's advance notification goes further than Microsoft's, which only
states the product family for which patches will be released and gives broad
indication of bug severity. Oracle also lists the number of vulnerabilities
it plans to patch and gives details of which products and components will
get fixes.

"The reason we included the components is because the customer may not be
affected by certain vulnerabilities, if they have not installed particular
components," Wiles said.

Oracle is definitely a copycat, but it is copying a best practice, said John
Pescatore, an analyst at Gartner. "It is a good idea," he said. "Microsoft
has a lot of experience with issuing patches and dealing with what
enterprises need to try to reduce the pain of patching."

Microsoft was also first with putting security updates on a schedule in
2003, an example Oracle has followed since 2005. "I am not entirely
surprised that we're seeing a convergence in the way different vendors are
approaching security patch delivery," Wiles said.

Oracle, of late, has been more candid about its security update process. Its
October quarterly update, which included fixes for 101 vulnerabilities, for
the first time included severity ratings. In that update, Oracle also
indicated which bugs could be exploited over the Internet by anonymous
attackers and added a summary of the security problems for each of its
product categories.

Oracle's Tuesday "Critical Patch Update" is planned to include twenty-seven
fixes for Oracle database products, twelve for Application Server, seven for
E-Business Suite, six for Enterprise Manager and three for PeopleSoft,
according to Oracle's early warning note.