Article

Oracle bulletins will rank patches, offer more detail

Bill Brenner

Oracle Corp. has taken plenty of flak for releasing security bulletins that are hopelessly difficult to decipher. In response, the database giant will unveil a new, easier-to-digest bulletin when it

    Requires Free Membership to View

releases its quarterly critical patch update (CPU) Tuesday.

The Redwood Shores, Calif.-based vendor outlined the upcoming changes in its Oracle Global Product Security blog Wednesday. Among the changes, Oracle will:

  • Adopt the Common Vulnerability Scoring System (CVSS) to rate the severity of the flaws each patch addresses;
  • Specifically identify critical flaws that may be remotely exploitable without requiring authentication to the targeted system; and
  • Provide an executive summary of the security vulnerabilities addressed in the CPU.

Oracle said the changes are the result of feedback it received from "many" customers.

"The template of the new documentation received positive feedback, and we hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each CPU and help them obtain patching decisions from their senior management more quickly," the company said. "Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication."

Timeline: Oracle security
May 8: Oracle refuses to learn its lesson, experts say

April 19: Oracle fixes 36 more flaws

April 11: Oracle accidentally exposes flaw, exploit

In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow.

The company has been criticized in the past not only for the complexity of its patch bulletins, but also for inconsistencies in the patches themselves. Its quarterly patch releases are typically followed by reports from security researchers of flaws not being fixed as advertised. The vendor has also been accused of sitting on vulnerabilities that are more than a year old.

Wiles and Heimann acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and for complicated bulletins.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: