Results 1 to 2 of 2

Thread: Oracle is ready to declare its own monthly "Patch Day."

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Oracle is ready to declare its own monthly "Patch Day."

    The database maker confirmed on Thursday that it plans to start releasing patches on a specific day each month. The move mimics Microsoft's decision last October to release patches for its software on the second Tuesday of each month.

    "We believe a single patch, encompassing multiple fixes on a predictable schedule, better meets the needs of our customers," the company said in a statement sent to CNET News.com. "While it is challenging to produce all patch sets on a fixed schedule, we are confident that a regular patch schedule is the right thing for our customers."

    The move could signal a trend in the software industry in which applications and operating-system makers start scheduling the release of fixes. While many security researchers have criticized the regular release of patches as more beneficial to the software makers' public image than to the firms' customers, others believe that regular fixes do help security.

    "The most important aspect here is that information technology groups can schedule updates and rollouts and you don't have a surprise patch-of-the-day," said Gerhard Eschelbeck, chief technology officer of vulnerability assessment firm Qualys.

    Qualys recently released data from its vulnerability assessment service that showed that companies are patching systems faster. The "vulnerability half-life," the time to reduce the number of systems vulnerable to a flaw by half, has shrunk from 30 days in 2003 to 21 days in the first half of this year, Eschelbeck said at a recent security conference.

    Some of the gain may be due to the new patching schedule introduced by Microsoft, a possibility that Eschelbeck is investigating. In addition, the software giant's practice of releasing many fixes in a single "rolled up" patch makes the updates easier to apply, said Rik Farrow, an independent security consultant.

    "Rolling up patches reduces the burden a lot," he said. "In that way, they are better."

    However, while companies appear to be getting better at patching, some data may show that software makers that change to regularly scheduled patches may move less quickly to fix flaws. Many critics believe that Microsoft has fixed several flaws too slowly, pointing out that the software giant required more than 200 days to produce a patch--published in January--for a flaw brought to the company the previous July.

    Oracle made the decision to go to a monthly patching schedule earlier in the year, and blames the change for a delay in issuing fixes for a host of security problems found by a researcher more than seven months ago.

    "The issues discussed in recent press coverage have been fixed and Oracle will issue a security alert soon," the company said in its statement.

    In the end, a larger monthly patch is better than many smaller ones, if the patches don't cause problems, Dennis Devlin, vice president and corporate security officer for Thomson Corp., a business information provider, said at the RSA Conference earlier this year.

    "The best practice in (patching) comes from the Hippocratic Oath: Do no harm," he said. "As long as the patches don't harm the systems, then they are good."
    Source : http://zdnet.com.com/2100-1105_2-5317165.html
    -Simon \"SDK\"

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    "The best practice in (patching) comes from the Hippocratic Oath: Do no harm," he said. "As long as the patches don't harm the systems, then they are good."

    That doesn't necessarily mean that they do any good... either, but such is the hypocritical oath.

    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •