Oracle offering early warning on security fixes

Following Microsoft's lead, business software giant Oracle is now giving system administrators a heads-up on its upcoming security patches.

As part of its quarterly patch cycle, Oracle on Tuesday plans to release fixes for 52 security vulnerabilities across its products, the company said in a note on its Web site Thursday. Some of the bugs are serious and could allow a system running the vulnerable Oracle software to be compromised remotely by an anonymous attacker, it said.

It is the first time Oracle has offered such advance notification. Microsoft has been giving customers a similar early warning since late 2004. Both companies have put their patches on a schedule so customers know when to expect them. The early warning is meant to allow for extra preparedness.

"This is something customers have asked us for," Darius Wiles, Oracle's senior manager of security alerts, said in an interview Thursday. "They want a heads-up of what's coming, so they can line up their operations staff to apply the patches."

Oracle's advance notification goes further than Microsoft's, which only states the product family for which patches will be released and gives broad indication of bug severity. Oracle also lists the number of vulnerabilities it plans to patch and gives details of which products and components will get fixes.

"The reason we included the components is because the customer may not be affected by certain vulnerabilities, if they have not installed particular components," Wiles said.

Oracle is definitely a copycat, but it is copying a best practice, said John Pescatore, an analyst at Gartner. "It is a good idea," he said. "Microsoft has a lot of experience with issuing patches and dealing with what enterprises need to try to reduce the pain of patching."

Microsoft was also first with putting security updates on a schedule in 2003, an example Oracle has followed since 2005. "I am not entirely surprised that we're seeing a convergence in the way different vendors are approaching security patch delivery," Wiles said.

Oracle, of late, has been more candid about its security update process. Its October quarterly update, which included fixes for 101 vulnerabilities, for the first time included severity ratings. In that update, Oracle also indicated which bugs could be exploited over the Internet by anonymous attackers and added a summary of the security problems for each of its product categories.

Oracle's Tuesday "Critical Patch Update" is planned to include twenty-seven fixes for Oracle database products, twelve for Application Server, seven for E-Business Suite, six for Enterprise Manager and three for PeopleSoft, according to Oracle's early warning note.