Pete Finnigan's Oracle Security Weblog

I just found yet another take on the new quarterly patch schedule, this time on computer world. This time written by Jaikumar Vijayan. The article is quite good, it concludes with a quote from Mary Ann Davidson the Oracle security chief, the author of the item said:

"Davidson, however, defended Oracle's stance and said the company had released the information necessary for administrators to install the patch. The goal is to try and provide enough information to users without giving hackers a "road map" for taking advantage of flaws, she said"

This for me is the key issue, customers need to know enough to asses the risk, especially with older versions of Oracle for which there are no patches available but there are plenty of production systems running them. I agree with Mary Ann's sentiment here but I do not believe Oracle go far enough. The details of the bugs fixed are very sparse and the information we get is mainly from the people who found the issues when they release their advisories. The problem is only Oracle know exactly what was fixed including bugs they themselves found and will never make public. Customers need what Mary Ann alludes to but I think Oracle need to go a bit further with the information that is available for the bugs. I also wholeheartedly agree with Mary Ann that it is important to not create a road map for hackers but customers do need more to properly assess risk.