Oracle Patching Speed under Fire
In a recent blog, Bill Brenner of SearchOracle address the issues of
Oracle customers complaining about Oracle's slow response time in
releasing patches to critical flaws in Oracle's applications:
http://searchoracle.techtarget.com/columnItem/0,294698,sid41_gci1161076,00.html?track=NL-94&ad=541204
Brenner quotes computer researcher Gadi Evron concerning the release
of Oracle patches:
But that's nothing, Evron added, compared to how long it
takes Oracle to patch other flaws. "Anyone here care to wager
how long it took Oracle to release some of its new patches?" he
asked. "I'll give you a hint, we can count it in years."
While Microsoft has a monthly process, he said, "Once in a blue
moon [Oracle] comes out with so many patches it is difficult to
count them. One such time was this week. Putting Oracle's
ability aside for a moment, I would like to just tell Oracle one
thing: A THOUSAND PATCHES RELEASED AT ONCE IS HORRIBLE, GET A
GRIP!"
In a related article, Joris Evers of CNET News reported that David
Litchfield, a not bug hunter has found yet another security flaw
that has yet to be patched:
http://news.com.com/Oracle+critiqued+again+over+patching+speed/2110-1002_3-6031339.html?tag=html.alert
The flaw can be exploited by an attacker to gain full
administrator-level control of a database server through a Web
server, Litchfield wrote. He provides a workaround in the mail
so Oracle users can protect themselves against attacks. The flaw
was reported to Oracle on Oct. 26. Litchfield had hoped that
Oracle would provide a fix or a workaround on its recent patch
release day. "They failed to do so," he wrote.
|