October 2006 is going to be a major month for Oracle. First, the database and middleware powerhouse has made some significant changes to its patch management process.
Secondly, it released its quarterly set of database and application patches on October 17th. The full list of patches is available on Oracle’s website, but interestingly enough, I didn’t notice any link to the patches directly available from the Oracle homepage.
A total of 101 patches have been made available, with 63 being database specific, and the other patches being spread across the various applications suites that Oracle has built or acquired in recent years. Some 45 of the vulnerabilities can be exploited remotely.
In providing a more detailed bulletin for its patches, Oracle is catching up to Microsoft in the vulnerability management arena. This is something that many users have been clamoring for, to facilitate prioritization of testing and remediation.
The Register had the following to say on this subject:
Oracle today published the mother of all security patches containing 101 fixes for flaws in its database, application server, E-Business Suite and PeopleSoft and JD Edwards applications.
Almost half – 45 – of the flaws can be can be exploited by a hacker over a network, while at least six errors in the Oracle database http server can be exploited without the hacker requiring any user name or password. A re-assuring 22 database flaws do at least require some form of authentication.
In total, Oracle’s latest quarterly critical patch update (CPU) features 63 fixes for the database, 14 for its application server, 13 for the E-Business Suite nine for PeopleSoft and JD Edwards and two for Oracle’s Java 2 Enterprise Edition containers on the client. Oracle introduced the quarterly CPU system in November 2004.
This is the latest chapter of a painful security story for Oracle that makes Microsoft, whose software is the internet’s number-one target, appear a community role model.
Now, let’s see how long it takes Apple to finally get on the “More Info in Patch Bulletins” bandwagon…