http://www.computerworld.com/securitytopics/se
curity/holes/story/0,10801,111098,00.html
By Robert McMillan
IDG NEWS SERVICE
MAY 02, 2006
Testing problems are forcing some Oracle Corp. users to wait
a little
longer than usual for the company's latest round of
security patches,
the first of which were released last month.
Though Oracle offered patches for a number of its most
popular
products as part of its April 18 Critical Patch Update, it
had said
that updates for many other versions of the products would
not become
available until May 1. Now, the database vendor is saying
that many of
those critical updates may not be available until as late as
May 15.
Oracle typically releases about 150 patches for a variety of
different
operating systems in its Critical Patch Updates, which ship
every
three months.
The problem with the April update is that some of the
patches have not
yet passed the comprehensive suites of tests that Oracle
uses to
ensure that they will not disrupt customer's applications,
said Darius
Wiles, manager of Oracle Security Alerts.
"There were some [updates] that failed out of the test
suite, so we
needed some more time to test them," Wiles said.
Oracle is particularly eager to complete testing and release
updates
for some of the more widely used versions of its database,
including
version 8.1.7.4 and 10.1.0.4. But the company first needs to
ensure
that the new software will not disrupt customers, Wiles
said.
Oracle users can find more information on the estimated
delivery date
of Oracle's patches by checking the pre-installation notes
Oracle has
published for each of its products. These can be found on
Oracle's
MetaLink online support service by searching for document:
360464.1
Security researcher and Oracle critic David Litchfield
believes that
by waiting so long to update some versions of its products,
Oracle is
undermining the value of its regular patch release cycle,
which is
designed to provide customers with regular, predictable
software
updates.
In an interview, Litchfield criticized both the lateness of
the
updates and their quality.
"The whole point of a regular patch cycle is that
people can plan
ahead and install once," said Litchfield, managing
director of Next
Generation Security Software Ltd., in Sutton, England.
"But if you are
having to install it nine times, where's the benefit of
that?"
Litchfield estimates that two-thirds of Oracle's supported
products
are now unpatched, leaving many users vulnerable.
But Wiles countered that the problem appears to be worse
than it is.
Because updates for some applications, such as Oracle's
application
server, are dependent on the database fixes, there has been
a
bottleneck effect with the updates. "Once we get the
database stuff
cleared, there are going to be a whole bunch of products
that are
going to be patched."
Though some security researchers such as Litchfield are
critical of
Oracle's delays, most customers prefer that the software
vendor
deliver a tested and reliable product, said David Kennedy, a
senior
risk analyst with Cybertrust Inc., in Herndon, Virginia.
"I'm
sympathetic with Oracle," he said. "They get
barbecued for not coming
up with patches fast enough."
"On the other hand," he said, "They could
be just slow and lazy."
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|