Oracle bulletins will rank patches, offer more detail

By Bill Brenner, Senior News Writer 12 Oct 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp. has taken plenty of flak for releasing security bulletins that are hopelessly difficult to decipher. In response, the database giant will unveil a new, easier-to-digest bulletin when it releases its quarterly critical patch update (CPU) Tuesday.

The Redwood Shores, Calif.-based vendor outlined the upcoming changes in its Oracle Global Product Security blog Wednesday. Among the changes, Oracle will:

• Adopt the Common Vulnerability Scoring System (CVSS) to rate the severity of the flaws each patch addresses;
• Specifically identify critical flaws that may be remotely exploitable without requiring authentication to the targeted system; and
• Provide an executive summary of the security vulnerabilities addressed in the CPU.

Oracle said the changes are the result of feedback it received from "many" customers.

"The template of the new documentation received positive feedback, and we hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each CPU and help them obtain patching decisions from their senior management more quickly," the company said. "Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication."

Timeline: Oracle security May 8: Oracle refuses to learn its lesson, experts say April 19: Oracle fixes 36 more flaws April 11: Oracle accidentally exposes flaw, exploit

In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow.

The company has been criticized in the past not only for the complexity of its patch bulletins, but also for inconsistencies in the patches themselves. Its quarterly patch releases are typically followed by reports from security researchers of flaws not being fixed as advertised. The vendor has also been accused of sitting on vulnerabilities that are more than a year old.

Wiles and Heimann acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and for complicated bulletins.

Tags: Database Security Management,  Web Application Security,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary