After all, Microsoft has been criticized time and again for waiting too long to patch security holes. Remember the outcry just weeks ago over the Windows Meta File (WMF) glitch?
But bloggers had a somewhat different outlook on Microsoft's process after they got a look at the vast array of fixes Redwood Shores, Calif.-based Oracle Corp. unloaded Tuesday.
Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, offered a calm enough assessment of the latest flaws and fixes in his blog Tuesday: "This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands," he said.
But others were far more scathing in their analyses, comparing Oracle's patching process to Microsoft's and suggesting the database giant could learn a thing or two from the software giant.
"To be honest I like Microsoft's system (if I am to ignore how long it takes them to actually release patches)," computer researcher Gadi Evron said in the SecuriTeam blog. "With one of the latest vulnerabilities it took ONE HUNDRED AND SIXTY TWO DAYS for a patch to be released -- and for what, a font handling vulnerability?"
But that's nothing, Evron added, compared to how long it takes Oracle to patch other flaws. "Anyone here care to wager how long it took Oracle to release some of its new patches?" he asked. "I'll give you a hint, we can count it in years."
While Microsoft has a monthly process, he said, "Once in a blue moon [Oracle] comes out with so many patches it is difficult to count them. One such time was this week. Putting Oracle's ability aside for a moment, I would like to just tell Oracle one thing: A THOUSAND PATCHES RELEASED AT ONCE IS HORRIBLE, GET A GRIP!"
Evron concluded by suggesting Oracle adopt a saner patching process. "We should forget about responsible researchers, responsible disclosure and all that shizzle and start talking about responsible vendors," he said. "If the vendors are not responsible, how can they expect researchers to be?"
Washington Post cybersecurity expert Brian Krebs noted in his Security Fix blog that he had recently done an analysis of how long it takes vendors like Microsoft, Apple and Mozilla to fix security holes after they are brought to the companies' attention.
"Given the time-consuming but relatively painless experience of gathering data published by those three companies, I was wholly unprepared for the challenge that would confront me collecting the same data from Oracle, quite possibly the largest provider of database software that stores invaluable customer and corporate information for thousands of major businesses worldwide," he said.
One is exasperated by the sheer number of fixes to wade through at once and the complexity of the advisories, he said. And if the 82 fixes released this week seem like a bit much, Krebs noted that Oracle rolled out 88 patches with its previous quarterly update in October. Compare that to Microsoft, which released 55 last year for all of its software products.
Krebs also noted that 11 of this month's patched vulnerabilities were reported by Argeniss Information Security, an Argentinian security research company. "Argeniss reported all 11 of those flaws to Oracle in late February 2005, and Oracle still has to address 76 other vulnerabilities Argeniss reported, some nearly two years ago, according to Argeniss researcher Esteban Martinez Fayo," he said.
For those who follow Oracle's quarterly patching process, all this is starting to sound familiar. Users, researchers and other security experts almost always complain of too few details and malfunctioning patches after an Oracle security update.
Despite the latest criticisms, Oracle has one thing going for it -- database administrators SearchSecurity.com interviewed after the October release said they like that they don't have to deploy patches every month.
"At least with a quarterly process you know when the next release is coming and you can schedule the deployment work well ahead of time," Nirnay Patil, DBA for Boston-based wireless communications provider American Tower Corp., said at the time. "You can work out the manpower issues and all that. And when the patches come out, there's time to test things more carefully."
Of course, admins need a lot of time for careful testing and deployment when 82 patches arrive in one day, accompanied by advisories that require multiple reads to comprehend.