Pete Finnigan's Oracle Security Weblog

I just found two more news stories about the new Oracle security quarterly patch schedule announced late lat week. http://www.theregister.co.uk/2004/11/19/oracle_quarterly_patch/ (broken link) The first is a report by John Leyden of The Register a respected UK based security news site. The short article makes interesting reading. John makes a good point:

"Oracle ought to consider the impact of having an unfixed security bug across its customer base for months on end"

That is a by product of not patching for security issues regularly enough. Whilst its hard work for customers to patch regularly there is also a risk rightly pointed out here if a serious bug becomes known just after a patch release. Customers could wait months for a fix. John goes on to say:

"Oracle's public pronouncement doesn't give much room for manoeuvre but we hope database giant has the good sense to issue an emergency fix in circumstances where a security flaw is been actively exploited"

As I said interesting points.

The second news item I found is on vnunet makes interesting comments about the timing of the patches. The writer points out that the dates chosen never fall awkwardly for Oracle in terms of financial results so that they will never have to explain security issues at sensitive times. This article also makes the point about the risks involved in waiting for security patches for known security bugs.