Major Security Patch Overhaul For Oracle

Oracle has overhauled its security patch policy after a growing number of complaints from customers and even its own executives.

Starting on January 18, the company said it will begin issuing regularly scheduled patches for Oracle Application Server, Oracle Database, Oracle E-Business Suite, Oracle Enterprise Manager and Oracle Collaboration Suite.

The updates will be available to partners and customers simultaneously via MetaLink, Oracle’s support Web site. After the January patch is issued, the company said it would again update customers on a quarterly schedule (April 12, July 12 and October 18.)

“Organizations prefer regular, planned schedules for patching their information technology systems,” Mary Ann Davidson, Oracle’s chief Security Officer, said in a statement.

Davidson is scheduled to field questions from reporters and analysts today on the changes.

Analysts said the shift in policy may have been prompted by problems with the patches themselves. IT analyst firm Gartner has issued a critical report about the patch process and an Oracle vice president in Germany recently fired off a missive that criticized the company on its delayed patch schedule.

Earlier this year, the Redwood Shores, Calif.-based software giant said it would adopt a monthly patch release cycle. Similar to the way administrators have counted on Microsoft’s updates, Oracle saw an opportunity to address security upgrades and fixes for viruses instead of dealing with them on a quarterly or yearly basis. The alerts include notification to Oracle’s customers and subscribers followed by instructions and links to FTP sites.

The first round of updates went off without a hitch. But by October, Oracle had missed its own deadline to deliver a monthly cycle and some clients began struggling with updates that could break applications, including Alert #68, Rev 2, which was issued back in August.

The patch said it would protect customers from malicious code that could be used to exploit legacy Oracle products. (The patch impacted Oracle Database Server, Oracle Application Server and Oracle Enterprise Manager. Oracle gave these patches its most serious “Severity 1” rating.)

On November 9, in a conversation with Gartner, Oracle declined to provide more detailed information about vulnerabilities the security patch 68 was meant to fix, which is Oracle’s standard policy about discussing vulnerabilities before patches are ready.

Then it reissued a warning on October 14 after proof of concept exploit code began circulating on the Internet.

Oracle told Gartner that an exploit against these vulnerabilities would look like a legitimate SQL*NET conversation and not depend on “bad” or malformed SQL*NET commands that could be easily blocked.

Neil MacDonald, vice president and research director at analyst firm Gartner, said the policy of not providing enough information is causing Oracle’s users to be less secure, not more.

“It essentially waves a red flag to hackers challenging them to find the problems while at the same time not providing enough information for users to get them moving,” he told

“This will come back to bite Oracle if an exploit appears that circulates quickly on the Internet and exposes Oracle data to unrestricted read/write access (and where the users haven’t applied the patches because they didn’t know how vulnerable they really were).”

MacDonald and his associate Rich Mogull said clients were complaining that six weeks of support for patch sets is not even close to being enough time to test and deploy; that more information was needed so that system administrators could make their own decisions about when and how quickly security updates are applied; and that not providing details if older, non-supported versions are affected makes thing worse.

Pete Finnigan, an Oracle security audit specialist and author of the book Oracle Security Step-By-Step Guide told he has been in contact with a number of sites that are running large numbers of version 7.x and 8.x databases who are either nervous or blindly think that they are not affected. Finnigan suggests the problem is that only Oracle insiders know truly what security bugs are fixed in each release and what they are.

“Oracle needs to commit to a clear schedule for security releases,” Finnigan said. “This should be done with the ‘help’ of some ‘key’ customers. Upgrading hundreds of databases monthly would make customers start to think about alternate database software as the running costs will increase due to the increased workload.

They also need to be more proactive with information released on the bugs that are being fixed so that customers know the risks but hackers cannot simply create exploits.”

A company spokesperson was not immediately available to comment on the suggestions. Oracle has said in the past that the company updates its customers, partners and developers all get the same alerts at the same time and that the company will continue its policy of issuing individual alerts for the most egregious security breaches.

News Around the Web