The monthly patch plan didn't go over too well with customers. So starting Jan. 18, Oracle Corp. will issue vulnerability alerts and fixes on a quarterly basis, Chief Security Officer Mary Ann Davidson announced Thursday.
"We talked to a lot of our customers, and the general consensus was, 'Please don't give this to me monthly,'" Davidson said. "It's very costly for people to touch their systems, and we were looking for the sweet spot. We don't want to make people wait too long for patches, but we don't want to overwhelm them, either."
The Redwood Shores, Calif.-based company has taken plenty of heat in recent months over its patching process. In August Oracle announced it would issue patches on a monthly basis after news of 34 vulnerabilities in multiple versions of its database server -- the majority of them critical -- were widely reported. David Litchfield, a researcher at U.K.-based NGSSoftware, discussed the vulnerabilities his company discovered during July's Black Hat Briefings in Las Vegas. Generally, he said, the flaws have to do with the Procedural Language/Structured Query Language and its triggers. One flaw allows an attacker to gain control of the database server without a userID or password, while others allow low-privileged users to take over the database server.
The company issued its first update of the cycle Aug. 31--known as Security Patch 68 --to address vulnerabilities in the 8i, 9i and 10g versions of its database, as well as the Oracle application server and enterprise manager software. Since then, some database administrators have struggled to update systems to a point where they can safely patch without breaking other applications in the process. They have then tried to apply a patch without knowing what it does and if it will break a system. Oracle said it hasn't released full details of the flaws and potential workarounds because of the severity of the vulnerabilities and concern about giving potential attackers too much information.
Asked what she would say to critics regarding the switch from a monthly to quarterly schedule, Davidson said, "We never really went to a monthly schedule." Asked what was being done in response to concerns raised about Security Patch 68, Davidson said, "We issued patches, and we believe people are applying them."
With the quarterly system, Davidson said vulnerabilities will be fixed in order of their severity, and that individual releases will also include patches needed to address compatibility problems.
"We found customers want a schedule they can plan their maintenance around that fixes a number of things at once," Davidson said. She added that all patches will be cumulative, so if a customer doesn't patch one month, the following update will also patch problems from previous quarterly releases. For severe vulnerabilities in which exploits are in the wild, Davidson said Oracle will occasionally issue out-of-cycle patches.
"We don't want to make customers wait three months for something like that," Davidson said. "It's a difficult balancing act, putting out information to help out customers without giving attackers enough to craft an exploit."
The updates are scheduled to be issued to customers simultaneously via MetaLink, Oracle's support Web site, next year on Jan. 18, April 12, July 12 and Oct. 18.