Oracle Corp. has taken plenty of flak for releasing security bulletins that are hopelessly difficult to decipher. In response, the database giant will unveil a new, easier-to-digest bulletin when it releases its quarterly critical patch update (CPU) Tuesday.
The Redwood Shores, Calif.-based vendor outlined the upcoming changes in its Oracle Global Product Security blog Wednesday. Among the changes, Oracle will:
- Adopt the Common Vulnerability Scoring System (CVSS) to rate the severity of the flaws each patch addresses;
- Specifically identify critical flaws that may be remotely exploitable without requiring authentication to the targeted system; and
- Provide an executive summary of the security vulnerabilities addressed in the CPU.
Oracle said the changes are the result of feedback it received from "many" customers.
"The template of the new documentation received positive feedback, and we hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each CPU and help them obtain patching decisions from their senior management more quickly," the company said. "Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication."
In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow.
The company has been criticized in the past not only for the complexity of its patch bulletins, but also for inconsistencies in the patches themselves. Its quarterly patch releases are typically followed by reports from security researchers of flaws not being fixed as advertised. The vendor has also been accused of sitting on vulnerabilities that are more than a year old.
Wiles and Heimann acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and for complicated bulletins.