News Stay informed about the latest enterprise technology news and product updates.

Security Blog Log: Oracle makes Microsoft look good

Microsoft gets plenty of flak for slow patching, but this week bloggers say they'll take Microsoft's patch process over Oracle's any day.


Security Blog Log
It's clear people aren't happy with a company's patching process when they start suggesting the company should do things more like Microsoft.

After all, Microsoft has been criticized time and again for waiting too long to patch security holes. Remember the outcry just weeks ago over the Windows Meta File (WMF) glitch?

But bloggers had a somewhat different outlook on Microsoft's process after they got a look at the vast array of fixes Redwood Shores, Calif.-based Oracle Corp. unloaded Tuesday.

Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, offered a calm enough assessment of the latest flaws and fixes in his blog Tuesday: "This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands," he said.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights.

If you'd like to comment on the column or bring new security blogs to his attention, contact him at

He offered a clear breakdown of what's in the actual Oracle advisory, and offered vulnerability details from German firm Red-Database-Security GmbH and Foster City, Calif.-based Imperva Inc. to his readers' attention.

But others were far more scathing in their analyses, comparing Oracle's patching process to Microsoft's and suggesting the database giant could learn a thing or two from the software giant.

"To be honest I like Microsoft's system (if I am to ignore how long it takes them to actually release patches)," computer researcher Gadi Evron said in the SecuriTeam blog. "With one of the latest vulnerabilities it took ONE HUNDRED AND SIXTY TWO DAYS for a patch to be released -- and for what, a font handling vulnerability?"

But that's nothing, Evron added, compared to how long it takes Oracle to patch other flaws. "Anyone here care to wager how long it took Oracle to release some of its new patches?" he asked. "I'll give you a hint, we can count it in years."

While Microsoft has a monthly process, he said, "Once in a blue moon [Oracle] comes out with so many patches it is difficult to count them. One such time was this week. Putting Oracle's ability aside for a moment, I would like to just tell Oracle one thing: A THOUSAND PATCHES RELEASED AT ONCE IS HORRIBLE, GET A GRIP!"

Evron concluded by suggesting Oracle adopt a saner patching process. "We should forget about responsible researchers, responsible disclosure and all that shizzle and start talking about responsible vendors," he said. "If the vendors are not responsible, how can they expect researchers to be?"

Washington Post cybersecurity expert Brian Krebs noted in his Security Fix blog that he had recently done an analysis of how long it takes vendors like Microsoft, Apple and Mozilla to fix security holes after they are brought to the companies' attention.

"Given the time-consuming but relatively painless experience of gathering data published by those three companies, I was wholly unprepared for the challenge that would confront me collecting the same data from Oracle, quite possibly the largest provider of database software that stores invaluable customer and corporate information for thousands of major businesses worldwide," he said.

One is exasperated by the sheer number of fixes to wade through at once and the complexity of the advisories, he said. And if the 82 fixes released this week seem like a bit much, Krebs noted that Oracle rolled out 88 patches with its previous quarterly update in October. Compare that to Microsoft, which released 55 last year for all of its software products.

Recent columns

Symantec flaw parallels Sony BMG

Plenty of opinions on WMF patching

"For many of the security researchers who discover and report those flaws to Oracle, the most galling data point is how long it can take the company to ship fixes to correct serious security holes," Krebs said. "Eight of the flaws addressed in Tuesday's patch bundle were reported by Alexander Kornbrust, a former Oracle employee and founder of Red-Database-Security GmBH. Kornbrust said he alerted Oracle to three of them more than two years ago, and that the company has yet to address at least 23 other flaws he's reported."

Krebs also noted that 11 of this month's patched vulnerabilities were reported by Argeniss Information Security, an Argentinian security research company. "Argeniss reported all 11 of those flaws to Oracle in late February 2005, and Oracle still has to address 76 other vulnerabilities Argeniss reported, some nearly two years ago, according to Argeniss researcher Esteban Martinez Fayo," he said.

For those who follow Oracle's quarterly patching process, all this is starting to sound familiar. Users, researchers and other security experts almost always complain of too few details and malfunctioning patches after an Oracle security update.

Despite the latest criticisms, Oracle has one thing going for it -- database administrators interviewed after the October release said they like that they don't have to deploy patches every month.

"At least with a quarterly process you know when the next release is coming and you can schedule the deployment work well ahead of time," Nirnay Patil, DBA for Boston-based wireless communications provider American Tower Corp., said at the time. "You can work out the manpower issues and all that. And when the patches come out, there's time to test things more carefully."

Of course, admins need a lot of time for careful testing and deployment when 82 patches arrive in one day, accompanied by advisories that require multiple reads to comprehend.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.