Rob Sherman has never liked Microsoft's monthly patching cycle. Whether a fix is available or not, he wants to be told about security holes immediately so he knows what to watch for.
"Monthly security updates are insufficient," said Sherman, manager of IT security and network operations for Boston-based wireless communications provider American Tower Corp. "Even if there's no patch at that point, let me know what to look for when I'm monitoring my network activity. I don't care if they send three advisories a day. I want to know now."
His colleague, Nirnay Patil, manages American Tower's Oracle database. Despite Sherman's frustration, he's not bothered that Oracle Corp. has taken a page from Microsoft's playbook, adopting its own monthly patch release.
"In Oracle's case, a once-a-month update might be better because more downtime is needed to patch their systems," Patil said. "You have to shut the system down on a Friday night when everyone goes home and work on the upgrades through the weekend. Files must be properly backed up before patches are applied. Unlike Windows, Oracle systems have multiple layers to work through, so it seems wise to give people a month in between updates to catch up."
Despite criticism of Microsoft's patch cycle, reaction to Oracle's decision so far seems positive.
The Redwood Shores, Calif.-based company announced its decision to do monthly security updates last week after news of 34 vulnerabilities in multiple versions of its database server -- the majority of them critical -- were widely reported. David Litchfield, a researcher at U.K.-based NGSSoftware, discussed the vulnerabilities his company discovered at length during last month's Black Hat Briefings in Las Vegas. Generally, he said, the flaws have to do with the Procedural Language/Structured Query Language and its triggers. One flaw allows an attacker to gain control of the database server without a userID or password, while others allow low-privileged users to take over the database server.
An Oracle spokesperson acknowledged the decision was hastened by Litchfield's announcement of the flaws. "Security is a matter we take seriously at Oracle and, while we stand firmly behind the inherent security of our products, we are always working to do better," the company said in a statement. "The issues discussed in recent press coverage have been fixed and Oracle will issue a security alert soon." That alert is expected by Tuesday.
"Oracle is moving to a monthly patch rollup model because we believe a single patch encompassing multiple fixes, on a predictable schedule, better meets the needs of our customers," she added.
Thomas Cox, an Oracle expert and independent IT consultant based in Portland, Ore., agreed a monthly approach is prudent. "You need a regular, disciplined patch schedule," he said. "The problem isn't when patches aren't available, it's when the patches are released and people don't apply them. A lot of the attacks we've seen have exploited problems for which patches were available. A monthly schedule is necessary because people aren't reliable about patching. This will encourage more discipline."
Cox added that it's good to know when patches are coming, and he said Oracle hasn't been as bad as other companies in announcing vulnerabilities. He agreed with Sherman that users should be alerted to security holes as quickly as possible.
Sherman agreed people who don't apply patches upon release are part of the problem. But he said that doesn't change the fact that some companies are too slow to tell users about vulnerabilities.
"Anyone who thinks hackers will wait for vendors to tell them the vulnerabilities is extremely naÏve," Sherman said. "I need to know about flaws when they're confirmed. As it is, we're switching to another antivirus provider because they only release advisories once a week. That's not enough."