Oracle to score risk of vulnerability patches
The application of patches in the Oracle Critical Patch Update
(CPU) is expensive, risky and time-consuming.
Many risk-averse companies take a "If it's not broken, don't fix
it" approach to patches, only applying patches that have a known
impact to their applications.
To assist these shops,
Oracle has announced that they will being prioritizing their
patches, noting the vulnerability exposure associated with each
"Unlike Apple and Microsoft, Oracle has resisted rating the
vulnerabilities it discloses when it rolls out patches. But in
the past the company has been hammered by critics more for its
slow pace in patching than for a lack of rankings.
Oracle is also known for its massive CPUs, which at times have
detailed dozens of vulnerabilities. In April, for example, the
first-quarter CPU patched 36 flaws, while July's second-quarter
batch contained 65 bug fixes."
Maurice has noted that they are adopting the Common
Vulnerability Scoring System to help customers decide which patches
"With the October 17th Critical Patch Update, Oracle will
introduce three major enhancements in its CPU documentation:
- Oracle is adopting the Common Vulnerability Scoring
- Oracle will specifically identify those critical
vulnerabilities that may be remotely exploitable without
requiring authentication to the targeted system.
- Oracle will provide an executive summary of the security
vulnerabilities addressed in the CPU."
Since it's usually the IT manager who decides which patches to
apply, the new CPU will contain a plain English executive summary
explaining the vulnerabilities that are closed by each patch:
"This executive summary will provide a "plain English"
explanation of the vulnerabilities addressed in the CPU. The
summary may be used to brief executive management and other
non-IT groups on the nature of the defects to be patched. This
enhancement is designed to help organizations assess their
preparedness for the upcoming CPU."