Oracle bulletins will rank patches, offer more detail

Article

Oracle bulletins will rank patches, offer more detail

Bill Brenner, Senior News Writer

Oracle Corp. has taken plenty of flak for releasing security bulletins that are hopelessly difficult to decipher. In response, the database giant will unveil a new, easier-to-digest bulletin when it

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

releases its quarterly critical patch update (CPU) Tuesday.

The Redwood Shores, Calif.-based vendor outlined the upcoming changes in its Oracle Global Product Security blog Wednesday. Among the changes, Oracle will:

  • Adopt the Common Vulnerability Scoring System (CVSS) to rate the severity of the flaws each patch addresses;
  • Specifically identify critical flaws that may be remotely exploitable without requiring authentication to the targeted system; and
  • Provide an executive summary of the security vulnerabilities addressed in the CPU.

Oracle said the changes are the result of feedback it received from "many" customers.

"The template of the new documentation received positive feedback, and we hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each CPU and help them obtain patching decisions from their senior management more quickly," the company said. "Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication."

Timeline: Oracle security
May 8: Oracle refuses to learn its lesson, experts say

April 19: Oracle fixes 36 more flaws

April 11: Oracle accidentally exposes flaw, exploit

In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow.

The company has been criticized in the past not only for the complexity of its patch bulletins, but also for inconsistencies in the patches themselves. Its quarterly patch releases are typically followed by reports from security researchers of flaws not being fixed as advertised. The vendor has also been accused of sitting on vulnerabilities that are more than a year old.

Wiles and Heimann acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and for complicated bulletins.