Oracle delivers delayed patches

The fixes come about eight months after a security researcher told the database software maker of the problems.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Database software maker Oracle pushed out a host of long-awaited patches after struggling to organize its software fixes into a monthly release schedule.

Released on Tuesday, the patches fix flaws in several of the company's products, including versions 10g, 9i and 8i of its Oracle Database Server and versions of its 10g and 9i Application Server. The flaws range from common memory errors known as buffer overflows to allowing an attacker to take control of the servers by inserting commands into instructions sent to the database.

Next-Generation Security Software, the company that found the problems, said it would withhold the details of the problems for three months, but labeled them "critical."

"This three-month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public," the company stated in an advisory released on Wednesday.

In mid-August, Oracle stated that it would move to a monthly patching schedule to ease the burden on its customers. The company blamed the patch delay, seven months at that time, on the chaos caused by the change to development.

"While it is challenging to produce all patch sets on a fixed schedule, we are confident that a regular patch schedule is the right thing for our customers," the company said at the time.

Microsoft moved last October to providing monthly patches.

An Oracle advisory stated that no adequate workaround has been found for the flaws, so companies are urged to patch their systems.