Following Microsoft's lead, it opts to issue monthly fixes. But does that make customers more secure?
Staff Writer, CNET News.com
Oracle is ready to declare its own monthly "Patch Day."
The database maker confirmed on Thursday that it plans to start releasing patches on a specific day each month. The move mimics Microsoft's decision last October to release patches for its software on the second Tuesday of each month.
"We believe a single patch, encompassing multiple fixes on a predictable schedule, better meets the needs of our customers," the company said in a statement sent to CNET News.com. "While it is challenging to produce all patch sets on a fixed schedule, we are confident that a regular patch schedule is the right thing for our customers."
The move could signal a trend in the software industry in which applications and operating-system makers start scheduling the release of fixes. While many security researchers have criticized the regular release of patches as more beneficial to the software makers' public image than to the firms' customers, others believe that regular fixes do help security.
"The most important aspect here is that information technology groups can schedule updates and rollouts and you don't have a surprise patch-of-the-day," said Gerhard Eschelbeck, chief technology officer of vulnerability assessment firm Qualys.
Qualys recently released data from its vulnerability assessment service that showed that companies are patching systems faster. The "vulnerability half-life," the time to reduce the number of systems vulnerable to a flaw by half, has shrunk from 30 days in 2003 to 21 days in the first half of this year, Eschelbeck said at a recent security conference.
Some of the gain may be due to the new patching schedule introduced by Microsoft, a possibility that Eschelbeck is investigating. In addition, the software giant's practice of releasing many fixes in a single "rolled up" patch makes the updates easier to apply, said Rik Farrow, an independent security consultant.
"Rolling up patches reduces the burden a lot," he said. "In that way, they are better."
However, while companies appear to be getting better at patching, some data may show that software makers that change to regularly scheduled patches may move less quickly to fix flaws. Many critics believe that Microsoft has fixed several flaws too slowly, pointing out that the software giant to produce a patch—published in January—for a flaw brought to the company the previous July.
Oracle made the decision to go to a monthly patching schedule earlier in the year, and blames the change for for a host of security problems found by a researcher more than seven months ago.
"The issues discussed in recent press coverage have been fixed and Oracle will issue a security alert soon," the company said in its statement.
In the end, a larger monthly patch is better than many smaller ones, if the patches don't cause problems, Dennis Devlin, vice president and corporate security officer for Thomson Corp., a business information provider, said at the RSA Conference earlier this year.
"The best practice in (patching) comes from the Hippocratic Oath: Do no harm," he said. "As long as the patches don't harm the systems, then they are good."