Pete Finnigan's Oracle Security Weblog

I have just logged into Metalink to read a headline news item published yesterday that finally announces Oracles new critical patch schedule. The patches will be released on a quarterly schedule and will occur on Jan 18, April 12, July 12 and October 18 next year. Following years to be announced I suppose. The patches will include fixes for significant security vulnerabilities found and include fixes that are pre-requisites for these patches. The note written by Mary Ann Davidson who is the Chief Security Officer for Oracle also says that the patches will include fixes that customers will likely want to apply. Hopefully this will mean that more information will be included to assist companies in assessing risk in relation to these patches.

If critical security issues are found and fixed between the schedules dates that one off patches and security alerts will be released through Metalink.

There is a FAQ available on metalink that describes the process in more details.

Stephen Kost of Integrigy Inc has said to me that he felt had thought this through to some degree and that a choice of Tuesdays for the release date makes sense and that a quarterly release schedule is similar to the add hoc few months between previous releases anyway. Stephen also said that he felt the choice to release one big patch for all products like with alert 68 is not good. A separation of releases per product would be clearer for all concerned and the separation of risk would be easier to do.

I agree with Stephen entirely that Tuesday is a good choice, well its better that Monday or Friday for instance. A quarterly schedule is also a good choice, I even suggested as much in a previous blog entry. It is better, much better than monthly on man power grounds alone. If customers had to patch monthly, most likely a good percentage would not do it.

The two key issues I feel that Oracle need to improve on are the issues of one big patch of all products with no separation - this could be improved and secondly the issue of lack of detailed information so that customers can make informed risk decisions. Related to this is the issue of lack of information on older releases such as version 7.x and 8.0.x. Oracles advice is always to upgrade but this is often very impractical for customers with a lot of older releases faced with a patch to add quickly. Customers using third party applications that need to keep older versions cannot simply upgrade or transfer to another customer’s database.

This announcement is a very good step forward and I am glad that it looks like Mary Ann and her team have at least put some thought into it.