Oracle moves to quarterly patch release schedule

Computerworld - Oracle Corp. today announced that it is moving to a quarterly patch release schedule in response to user demands for a more predictable process for applying needed security fixes to the company's software. The move comes amid continuing criticism of the company's handling of a recent major security update by analyst firm Gartner Inc.
The first set of patches under Oracle's new schedule will be released Jan. 18 via the company's support Web site, with subsequent releases slated for April 12, July 12 and Oct. 18.
The quarterly Critical Patch Update schedule will allow users to better plan for security fixes while at the same time not exposing them to undue risks, Mary Ann Davidson, the company's chief security officer, said at a news conference earlier today. "We think there's a number of benefits to doing it this way. Based on a lot of discussions [with users] we feel confident that this will strike a good balance."
Under the Critical Patch Update program, Oracle will release highly integrated patches that combine fixes for multiple high-priority vulnerabilities, Davidson said. The patches will be cumulative, meaning users who miss applying patches one quarter can apply a cumulative update the following quarter that addresses both the previous problems and any new ones that might have cropped up, Davidson said.
All of Oracle's major products will be covered, she said.
Oracle's move to a quarterly schedule "is going to make it a lot easier for companies to plan for these [fixes] and will be well received," said Rich Niemiec, former president of the International Oracle Users Group and CEO of TUSC, a Chicago-based consultancy. The "announcement today should solve a lot of issues with security patches" that Oracle has been having, he said.
"It's good news for users," agreed Howard Muffler, director of enterprise services at Embry-Riddle Aeronautical University in Daytona Beach, Fla., which uses a wide variety of Oracle products. Having a predictable update schedule will eliminate the "waiting game" for companies when it comes to Oracle security patches, Muffler said.
Oracle's move comes less than a week after Gartner issued an advisory blasting the company for its failure to disclose enough details of the vulnerabilities addressed by a critical patch released by Oracle in August. Patch 68 was given the highest severity rating by Oracle and affects several of its products, including its database and application server products. Oracle reissued an alert relating to the patch in mid-October after a proof-of-concept exploit began circulating on the Internet (see story).
But Oracle's refusal