[ISN] Oracle offering early warning on security fixes

From: InfoSec News (alerts@private)
Date: Thu Jan 11 2007 - 22:04:24 PST


By Joris Evers
Staff Writer, CNET News.com
January 11, 2007

Following Microsoft's lead, business software giant Oracle is now giving 
system administrators a heads-up on its upcoming security patches.

As part of its quarterly patch cycle, Oracle on Tuesday plans to release 
fixes for 52 security vulnerabilities across its products, the company 
said in a note on its Web site Thursday. Some of the bugs are serious 
and could allow a system running the vulnerable Oracle software to be 
compromised remotely by an anonymous attacker, it said.

It is the first time Oracle has offered such advance notification. 
Microsoft has been giving customers a similar early warning since late 
2004. Both companies have put their patches on a schedule so customers 
know when to expect them. The additional heads-up is meant to allow for 
extra preparedness.

"This is something customers have asked us for," Darius Wiles, Oracle's 
senior manager of security alerts said in an interview Thursday. "They 
want a heads-up of what's coming so they can line up their operations 
staff to apply the patches."

Oracle's advance notification goes further than Microsoft's, which only 
states the product family for which patches will be released and gives 
broad indication of bug severity. Oracle also lists the number of 
vulnerabilities it plans to patch and details which products and 
components will get patches.

"The reason we included the components is because the customer may not 
be affected by certain vulnerabilities if they have not installed 
particular components," Wiles said.

Oracle is definitely a copycat, but it is copying a best practice, said 
John Pescatore, an analyst with Gartner. "It is a good idea," he said. 
"Microsoft has a lot of experience with issuing patches and dealing with 
what enterprises need to try to reduce the pain of patching."

Microsoft was also first with putting patches on a schedule in 2003, an 
example Oracle followed beginning in 2005. "I am not entirely surprised 
that we're seeing a convergence in the way different vendors are 
approaching security patch delivery," Wiles said.

Oracle, of late, has been more candid about its security update process. 
Its October quarterly update, which included fixes for 101 
vulnerabilities, for the first time included severity ratings. In that 
update, Oracle also indicated which bugs could be exploited over the 
Internet by anonymous attackers and added a summary of the security 
problems for each of its product categories.

Oracle's Tuesday "Critical Patch Update" is planned to include 27 fixes 
for Oracle database products, 12 for Application Server, seven for 
E-Business Suite, six for Enterprise Manager and three for PeopleSoft, 
according to Oracle's early warning note.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 11 2007 - 22:27:26 PST