Home > Security News > Oracle bulletins will rank patches, offer more detail
Security News:
EMAIL THIS LICENSING & REPRINTS

Oracle bulletins will rank patches, offer more detail

By Bill Brenner, Senior News Writer
12 Oct 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Oracle Corp. has taken plenty of flak for releasing security bulletins that are hopelessly difficult to decipher. In response, the database giant will unveil a new, easier-to-digest bulletin when it releases its quarterly critical patch update (CPU) Tuesday.

The Redwood Shores, Calif.-based vendor outlined the upcoming changes in its Oracle Global Product Security blog Wednesday. Among the changes, Oracle will:

  • Adopt the Common Vulnerability Scoring System (CVSS) to rate the severity of the flaws each patch addresses;
  • Specifically identify critical flaws that may be remotely exploitable without requiring authentication to the targeted system; and
  • Provide an executive summary of the security vulnerabilities addressed in the CPU.

Oracle said the changes are the result of feedback it received from "many" customers.

"The template of the new documentation received positive feedback, and we hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each CPU and help them obtain patching decisions from their senior management more quickly," the company said. "Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication."

Timeline: Oracle security
May 8: Oracle refuses to learn its lesson, experts say

April 19: Oracle fixes 36 more flaws

April 11: Oracle accidentally exposes flaw, exploit

In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow.

The company has been criticized in the past not only for the complexity of its patch bulletins, but also for inconsistencies in the patches themselves. Its quarterly patch releases are typically followed by reports from security researchers of flaws not being fixed as advertised. The vendor has also been accused of sitting on vulnerabilities that are more than a year old.

Wiles and Heimann acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and for complicated bulletins.

Sound Off! -   Be the first to post a message to Sound Off!


Tags: Database SecurityWeb Application Security (Also see Web Access Control)Patch ManagementVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts