Microsoft and Oracle Criticized for Holding-back Security Patches

Many shops are questioning the shear volume of Microsoft patches that relate to reliability and security exposures and are wondering if Windows is a viable platform for Oracle databases:

http://www.oracle.ittoolbox.com/news/dispnews.asp?i=126725

“PatchLink's product management vice-president, Chris Andrew, argued that situations such as this month's "patch Tuesday", when Microsoft released 12 bulletins covering 17 security flaws, are bad for firms because they leave systems vulnerable for too long.”

This article criticizes both Oracle and Microsoft windows for “holding” patches, after hackers have exploited a weakness:

"It would be better releasing the alerts as [IT vendors] found them, because by holding on to the information Microsoft is effectively making the window for action smaller," said Andrew. "It's usually hackers that find the problems in the first place, so keeping the vital information away from customers is not good for them."

In an earlier Oracle News alert, we noted that Microsoft patches are very different than UNIX patches, and they often cannot be backed-out after application:

I sent my PC to a shop that specialized in such matters and I was told that many others had experienced the same problem and they were making significant revenue from the poorly implemented Windows patches. I was told:

· Unlike UNIX and Linux patches, there is no mechanism to back-up and recover from “bad” patches. It’s a one-way trip to a server outage, with no safety net.

· They would not be able to salvage my Windows registry entries or my integrations with other products, and I need to start over, almost from scratch.

��