Oracle Corp. said today during a teleconference it is revamping its security patch release process in the wake
of heavy criticism from analysts and customers who say it has taken a haphazard approach to addressing vulnerabilities.
The software maker is backtracking on a change earlier this year, when it said it would release patches on a monthly schedule. Instead it is rolling out a quarterly schedule beginning in January.
Oracle also issued an e-mail advisory to customers recently, urging them to reapply patch 68, issued in August if the patch was downloaded from Oracle's support Web site before Oct. 19. The message said the patch issued prior to Oct. 19 was incorrect.
Oracle has come under fire after it released security patch 68, which addressed in late August more than two dozen flaws discovered earlier this year. DBAs have complained that they were left in the dark on exactly what flaws the patch addresses and whether there are any workarounds.
The flaws had been found in versions 8i, 9i and 10g database, Oracle application server and enterprise manager software.
Under the new release schedule, organizations can plan configuration management rather than being surprised by unscheduled patch alerts, said Mary Ann Davidson, who serves as chief security officer at Oracle.
The fixed schedule also helps companies avoid conducting updates during critical business times such as at the end of the quarter when most businesses are closing their books. The goal is to deliver a single, well-integrated and well-tested patch that fixes multiple, high-priority vulnerabilities, Davidson said.
"This allows them to have a schedule they can plan maintenance around," Davidson said. "They can apply various patches as needed to critical components."
Oracle will reserve the right to release a fix at any time and without warning to customers if vulnerabilities are severe enough to warrant a patch, Davidson said.
While the latest announcement from Oracle doesn't clear up the implications of the vulnerabilities addressed in patch 68, it does give a clear signal that it will follow a routine schedule without surprising customers, said Neil MacDonald, group vice president and research director of the information security team at Stamford, Conn.-based Gartner Inc. The schedule does open up a whole new set of issues, MacDonald said.
"Quarterly is manageable if they are clear about addressing security vulnerabilities as they leak out," MacDonald said. "These security patch sets are going to be bigger, more complex and require more testing."
Oracle has not said whether it will amend a policy of not supporting versions that customers fail to update following six weeks after a patch is released. Larger patches should require more time, MacDonald said.
Arup Nanda, a security expert and Norwalk, Conn.-based DBA who is president of Proligence, an Oracle consultancy said Oracle has been fumbling communications since it issued patch 68. Nanda said that DBAs are frustrated having to apply patches without knowing what they do and if they will break a system.
Nanda opposes a quarterly patch cycle, saying patches should be released throughout the year to allow customers to determine when and if a patch should be applied.
"Waiting a full quarter to address vulnerabilities is unacceptable to customers," Nanda said. "Patches should come from Oracle the moment they identify something and fix something no matter how critical the vulnerability."
Other DBAs say Oracle is struggling to address customer concerns since the software vendor rarely releases patches that reach the severity of patch 68.
"I think they are doing the best the can as far as vulnerabilities although the whole situation is a far cry from the advertising slogan, the unbreakable database," said Donald Freeman a DBA at the Pennsylvania Department of Health.
"We haven't been overly stressed with patch problems," Freeman said. "The management here is reluctant to order installation of patches under the theory that if we are not experiencing any obvious problems we are likely to create them through a patch install."