Oracle Patch Schedule Could Aid Hackers

Oracle today announced a quarterly schedule of security bulletins and patch releases for 2005 that is “a bit of a tradeoff,” according to one analyst.

“I fully understand why Oracle would want to use a timed release-cycle, but I’m not sure what the reason is for their decision to move away from the monthly cycle that they had proposed a few months ago,” Ed Moyle, president of Security Curve, told CRM Buyer. “They may be responding to their customers or they may be responding to their software developers; either way, it’s arguably irresponsible to knowingly allow a vulnerability in a piece of critical enterprise infrastructure to remain unpatched for months at a time.”

Good and Bad in Scheduling

The database company will release the first patches Jan.18, followed by releases on April 12, July 12, and Oct. 18. It said that the schedule will allow customers to plan for patch installation instead of having to do emergency patches, but Moyle said there is a downside to scheduling.

“Oracle says that they want to spare their customers the pain associated with “emergency” patches, which is true — trying to manage patches in any size enterprise is a nightmare,” he said. “However, as we’ve already seen, when Microsoft made the move to a monthly patch cycle, malicious people (almost right away) started using their patch schedule to nefarious ends. Some folks have said that at least one virus may have been targeted to be released at an inconvenient time (when most Microsoft systems are unpatched).”

Another Hit

Gartner was no kinder to the database giant last week. Analysts Neil MacDonald and Rich Mogull wrote an advisory to clients stating that Oracle’s refusal to release specific information about security vulnerabilities dealt with in a released patch increased risk for Oracle’s customers.

“We believe that Oracle is erring by refusing to discuss how vulnerable customers are if they do not apply the patch. System administrators do not have enough information to decide what to do (for example, which servers to prioritize or which data is most vulnerable), and this could delay the implementation of patches,” they wrote.

Moyle also speculated that simply because of the way Oracle markets itself, it may be a bigger target.

“It would seem that Oracle is (rightfully so) less concerned about viruses than Microsoft is, but I would counter their ‘unbreakable’ campaign has made them an attractive target to the hacker community and, therefore, they may be in a particularly dangerous place to be leading the charge on long patch cycles,” he said. “There are a ton of not-so-nice people who would like nothing better than to publicly humiliate Oracle and say, ‘See, it’s breakable.'”

Oracle will release patches for software such as Application Server, Database Server and Enterprise Manager.