Oracle Adopts Monthly Patch Cycle

Oracle is stepping up its efforts to keep security
problems to a minimum with a new patch policy.

The Redwood Shores, Calif.-based software giant has decided to adopt a
monthly cycle of addressing security upgrades and fixes for viruses instead
of dealing with them on a quarterly or yearly basis. The company said it
would continue to issue individual alerts for the most egregious security

The process is similar to Microsoft’s monthly security
patch update schedule — every second Tuesday, to be exact. Oracle’s plan,
which officially launched the first week in August, includes notification to
Oracle’s customers and subscribers followed by instructions and links to FTP

“Oracle is moving to a monthly patch rollup model, because we believe a
single patch encompassing multiple fixes, on a predictable schedule, better
meets the needs of our customers,” Oracle spokeswoman Letty Ledbetter told “While it is challenging to produce all patch sets
on a fixed schedule, we are confident that a regular patch schedule is the
right thing for our customers.”

Oracle said it offers the most widely tested software of all the major software vendors, with several international security evaluations — 17 for
database, 19 overall. The company said it believes in the value of multiple assessments, compared to one evaluation for Microsoft’s database and none for IBM. When
software security flaws are discovered, Ledbetter said, Oracle responds as
quickly as possible with patches and workarounds.

The change in Oracle’s release schedule coincides with the emergence of
security holes in its software. Earlier this month, UK-based Next Generation
Security Software (NGS Software) said it found 34 security vulnerabilities
in Oracle Database, Oracle Application Server and Oracle Enterprise Manager.

While Ledbetter said the security holes have been fixed, the company was
criticized for apparently sitting on the patches. Oracle also said the
switch to a monthly update and the security problems were coincidental.

“Oracle company policy requires that significant security issues be fixed
on all supported releases and platforms,” Ledbetter said. “Generally, a
security alert will be issued when all patches are ready. This policy
ensures that our customers are treated equally, receiving the same level of
notification and protection.”

News Around the Web