Oracle keeps many users waiting on April patches
Thorough and cautious or 'slow and lazy?'
IDG News Service - Testing problems are forcing some Oracle Corp. users to wait a little longer than usual for the company's latest round of security patches, the first of which were released last month.
Though Oracle offered patches for a number of its most popular products as part of its April 18 Critical Patch Update, it had said that updates for many other versions of the products would not become available until May 1. Now, the database vendor is saying that many of those critical updates may not be available until as late as May 15.
Oracle typically releases about 150 patches for a variety of different operating systems in its Critical Patch Updates, which ship every three months.
The problem with the April update is that some of the patches have not yet passed the comprehensive suites of tests that Oracle uses to ensure that they will not disrupt customer's applications, said Darius Wiles, manager of Oracle Security Alerts.
"There were some [updates] that failed out of the test suite, so we needed some more time to test them," Wiles said.
Oracle is particularly eager to complete testing and release updates for some of the more widely used versions of its database, including versions 18.104.22.168 and 10.1.0.4. But the company first needs to ensure that the new software will not disrupt customers, Wiles said.
Oracle users can find more information on the estimated delivery date of Oracle's patches by checking the pre-installation notes Oracle has published for each of its products. These can be found on Oracle's MetaLink online support service by searching for Document: 360464.1
Security researcher and Oracle critic David Litchfield believes that by waiting so long to update some versions of its products, Oracle is undermining the value of its regular patch release cycle, which is designed to provide customers with regular, predictable software updates.
In an interview, Litchfield criticized both the lateness of the updates and their quality.
"The whole point of a regular patch cycle is that people can plan ahead and install once," said Litchfield, managing director of Next Generation Security Software Ltd., in Sutton, England. "But if you are having to install it nine times, where's the benefit of that?"
Litchfield estimates that two-thirds of Oracle's supported products are now unpatched, leaving many users vulnerable.
But Wiles countered that the problem appears to be worse than it is. Because updates for some applications, such as Oracle's application server, are dependent on the database fixes, there has been a bottleneck effect with the updates. "Once we get the database stuff cleared, there are going to be a whole bunch of products that are going to be patched."
Though some security researchers such as Litchfield are critical of Oracle's delays, most customers prefer that the software vendor deliver a tested and reliable product, said David Kennedy, a senior risk analyst at Cybertrust Inc. in Herndon, Va. "I'm sympathetic with Oracle," he said. "They get barbecued for not coming up with patches fast enough."
"On the other hand," he said, "they could be just slow and lazy."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts