Oracle has released a new quarterly update that patches 154 vulnerabilities across more than 50 products, but experts...
said Oracle should consider moving away from the quarterly release cycle -- at least for its most popular products.
Java and Oracle Fusion Middleware received the most patches in this release, with 25 and 23 patches, respectively. Java was hit especially hard, as 24 of the 25 patches are for flaws that can be remotely exploited without authentication, according to Oracle. Of the 23 patches for Fusion Middleware, 16 fix vulnerabilities that can be remotely exploited without authentication.
Eric Maurice, software security assurance director for Oracle, said in a blog post that enterprises should apply patches as soon as possible because of the large number of severe vulnerabilities addressed. Of the 154 Oracle patches, 76 fixed issues that could be remotely exploited without authentication.
Both Wolfgang Kandek, CTO for Qualys Inc., based in Redwood City, Calif., and Tyler Reguly, security research manager for Tripwire Inc., based in Portland, Ore., said Oracle should move to a faster patch release schedule -- especially for more popular products, such as Java and Fusion Middleware -- because three months can be a long time in security.
"It's a very long time to sit between releases, and it's a real hindrance to desktop security both for individuals and enterprises. Personally, I think a quarterly patch cycle for any popular product is an awful idea these days," Reguly said. "When Oracle first moved to quarterly patches, it was true that it introduced stability into a very complicated patching process. At this point, however, moving up to a monthly or even bimonthly release cycle would greatly improve the security of their products."
Maurice defended Oracle's choice to keep security updates for these products on a quarterly schedule.
"Critical Patch Updates are released four times a year, in a schedule that is announced a year in advance. This predictability is intended to provide Oracle customers the ability to plan for the timely application of these security fixes, so that they can maintain their security posture," Maurice wrote. "The predictability of the Critical Patch Update schedule is intended to provide Oracle customers with the ability to include security patching in their regular maintenance activities."
However, Reguly said that Oracle's explanation was little more than rationalizing an outdated concept, and any company still using an annual, biannual or quarterly patch cycle is doing its customers "a disservice."
"The patch philosophy of Oracle and several other major companies was once considered bleeding-edge. Unfortunately, the times have changed and patches should be shipping quicker," Reguly said. "Several big companies are adapting to the more security-conscious world, shipping patches in a much more timely manner. There are still lumbering dinosaurs. These large, older companies will soon find themselves behind the times and struggling to keep up in the security world. When we're at a point where irresponsible disclosure is frowned upon, irresponsible patch release cycles should be treated with the same disdain. They only benefit the attackers at this point."
Learn the best ways to apply Oracle patches.
Learn how to reduce the risk of Java security updates.