RealTime IT News

Oracle Adopts Monthly Patch Cycle

Oracle is stepping up its efforts to keep security problems to a minimum with a new patch policy.

The Redwood Shores, Calif.-based software giant has decided to adopt a monthly cycle of addressing security upgrades and fixes for viruses instead of dealing with them on a quarterly or yearly basis. The company said it would continue to issue individual alerts for the most egregious security breaches.

The process is similar to Microsoft's monthly security patch update schedule -- every second Tuesday, to be exact. Oracle's plan, which officially launched the first week in August, includes notification to Oracle's customers and subscribers followed by instructions and links to FTP sites.

"Oracle is moving to a monthly patch rollup model, because we believe a single patch encompassing multiple fixes, on a predictable schedule, better meets the needs of our customers," Oracle spokeswoman Letty Ledbetter told internetnews.com. "While it is challenging to produce all patch sets on a fixed schedule, we are confident that a regular patch schedule is the right thing for our customers."

Oracle said it offers the most widely tested software of all the major software vendors, with several international security evaluations -- 17 for database, 19 overall. The company said it believes in the value of multiple assessments, compared to one evaluation for Microsoft's database and none for IBM. When software security flaws are discovered, Ledbetter said, Oracle responds as quickly as possible with patches and workarounds.

The change in Oracle's release schedule coincides with the emergence of security holes in its software. Earlier this month, UK-based Next Generation Security Software (NGS Software) said it found 34 security vulnerabilities in Oracle Database, Oracle Application Server and Oracle Enterprise Manager.

While Ledbetter said the security holes have been fixed, the company was criticized for apparently sitting on the patches. Oracle also said the switch to a monthly update and the security problems were coincidental.

"Oracle company policy requires that significant security issues be fixed on all supported releases and platforms," Ledbetter said. "Generally, a security alert will be issued when all patches are ready. This policy ensures that our customers are treated equally, receiving the same level of notification and protection."