Patch/Configuration Management, Vulnerability Management

For first time, Oracle announces quarterly patch plans

Oracle today announced it will offer 52 security fixes in Tuesday's scheduled quarterly patch release.

This marks the first time the database giant has offered a peek into its scheduled security updates in hopes of helping "customers plan for their forthcoming patching effort," Duncan Harris, senior director of security assurance, said Thursday on the Oracle Global Product Security Blog.

The "pre-release announcement" is similar to the approach Microsoft takes five days before its so-called Patch Tuesdays, delivered the second Tuesday of each month.

The brunt of the patches - 27 - is scheduled for Oracle Database vulnerabilities, 10 of which can be remotely exploited without user authentication. Another 12 fixes are slated for Oracle Application Server flaws, eight of which are open to remote attack.

Fixes also will be issued for the E-Business Suite, Enterprise Manager and PeopleSoft Enterprise solutions.

The new notification initiative follows a decision in October by Oracle to use the Common Vulnerability Scoring System (CVSS) to rate bugs, identify those flaws that are critical and remotely exploitable, and include a "high-level" overview of each defect and fix - again similar to Microsoft's approach.

Oracle has made efforts to improve communication with customers over security issues. At the start of last year, the Redwood Shores, Calif. company was heavily criticized within the industry because of the large numbers of fixes it was issuing, for delaying the release of other fixes and for not recommending necessary workarounds.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.