dcsimg
 

Oracle Borrows Security Notice Method from Microsoft

By Ryan Naraine  |  Posted 2007-01-11 Email Print this article Print
 
 
 
 
 
 
 

WEBINAR:
On-Demand

Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce


The database giant is implementing an advance notice mechanism similar to Microsoft's that offers flaw details and severity ratings ahead of its quarterly Critical Patch Updates.

Borrowing a page directly from Microsoft's playbook, Oracle has implemented an advance notice mechanism for its quarterly release of security patches.

Beginning with the first CPU (Critical Patch Update) for 2007, due on Jan. 16, the database server giant is implementing a CPU Pre-Release Announcement that includes the name of version numbers of Oracle products affected by patches, a total count of vulnerabilities being fixed and a severity score for the most serious product flaws.

Microsoft started offering advance notice on its monthly security bulletins in late 2003, but when word leaked out it was only available for premium customers, the company expanded the mechanism to provide the pre-patch overview to everyone.

Now, Oracle is following suit as part of a larger attempt to improve its highly criticized security response and patch release process. It is also going a step further by providing more details than Microsoft, including the specific product components affected, the actual vulnerability count and "any other information that may be relevant to help organizations plan for the application of the CPU in their environment."

According to Duncan Harris, senior director of security assurance at Oracle, the new mechanism is aimed at helping customers plan for patch testing and deployment when the updates are eventually shipped.

"While Oracle will try to make CPU Pre-Release Announcements as accurate as possible at the time of their publication, the information they contain may change before the actual publication of the CPU," Harris said in a blog entry.

Click here for more on how Oracle is trying to improve its security alerts.

"It is our hope that these Pre-Release Announcements will become valuable tools to help security professionals analyze the criticality of the forthcoming CPUs and brief their management to obtain any necessary approvals for a timely application of the CPUs," he added.

On Jan. 16, Oracle will ship a mega CPU with fixes for 52 vulnerabilities affecting a wide range of database and application server products. The highest CVSS (Common Vulnerablity Scoring System) base score of vulnerabilities across all products is 7.0.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's eWEEK Security Watch blog.

 
 
 
 
 
 
 
 
 
























By submitting your information, you agree that channelinsider.com may send you channelinsider offers via email, phone and text message, as well as email offers about other products and services that channelinsider believes may be of interest to you. channelinsider will process your information in accordance with the Quinstreet Privacy Policy.

 
 
 
 
 
 

Submit a Comment

Loading Comments...
























By submitting your information, you agree that channelinsider.com may send you channelinsider offers via email, phone and text message, as well as email offers about other products and services that channelinsider believes may be of interest to you. channelinsider will process your information in accordance with the Quinstreet Privacy Policy.

 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date