Oracle opts for fixed patch alerts to cut costs and simplify planning

Oracle will begin issuing quarterly security patch updates from January 2005 in a bid to simplify patch management.

Oracle will begin issuing quarterly security patch updates from January 2005 in a bid to simplify patch management.

Mary Ann Davidson, chief security officer at the software company, said, "The quarterly schedule strikes a balance between issuing patches often enough to protect customers from serious vulnerabilities while making it easier for customers to manage the maintenance process."

The company hopes this strategy will help users plan configuration management rather than reacting to unscheduled patch alerts. It said the fixed schedule would also avoid common black-out dates when users would not want to update their systems, such as during quarterly financial reporting.

Davidson said the patch updates should help users to lower the cost of applying patches by delivering a single, well-integrated and well-tested patch that fixes multiple, high-priority vulnerabilities.

Ronan Miles, chairman of the UK Oracle User group, welcomed the change in patch policy as scheduled patch updates from Oracle would allow users to plan their database maintenance. However he wanted to see a sound plan in place from Oracle to combat security threats that occur outside the normal patch cycle.

He said, "My concern would be that an 'emergency issue' mechanism should also be available for use as and when required so that there is no chance that any very visible and known threat remains open for what could be up to 12 weeks."

Sherif Hammad, director at NGSoftware, a security company which has been credited with identifying several new holes in Oracle software, was also concerned with the 12-week patching cycle.

"When there is a critical update users need to patch ad hoc. They need to plan quicker if there is an exploit in the wild," Hammad said.

In his experience security holes were being identified more often than every three months, making a 12-week cycle "a bit long", he said.

Earlier this month analyst company Gartner criticised Oracle for refusing to provide more information about the consequences for users if they do not apply a critical patch known as security patch 68.

Gartner warned that Oracle had not said whether the vulnerabilities affect older, non-supported versions. "At worst, records in every Oracle database you own could be vulnerable," it said.

Anti-virus protection is easy >>

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.