No More Details
The patch release schedule, due to begin Jan. 18, will encompass patches for all Oracle products, including Application Server, Oracle Database, Oracle E-Business Suite, Oracle Enterprise Manager and Oracle Collaboration Suite. The patches will be available via Oracles MetaLink support site. Subsequent patches will be issued on April 12, July 12 and Oct. 18, with interim patches possible in the eventuality that serious, critical vulnerabilities arise, Oracle said.The database giant has no plans to increase the amount of detail it gives on patches, however, according to Davidsonan omission that some call regrettable. Analyst firm Gartner earlier this week issued a report in which it bemoaned Oracles refusal to provide more detail on the consequences for users if they fail to apply security patch 68. According to the research note, Oracle declined to say whether the vulnerabilities affect older, nonsupported versions. "At worst, records in every Oracle database you own could be vulnerable," the report said. Davidson defended Oracles policy of keeping details close to the vest, saying that the company is walking a fine line between informing customers and giving hackers the information they need to exploit a given flaw in the wild. "Our position has always been to strike a balance between providing enough information so customers know what the risk is for not applying a patch, and not giving people information to crack systems," she said. "Its certainly true that, as part of our ongoing discussions over the last year on moving to this patch model, we continue to talk about what is the right amount of information and what you need to decide whether you should apply the patch. "That is not the same level of detail that some in the more technical research community want to see, but our primary focus is serving customers," Davidson said. Its true: The more technical security research community would indeed like to see more information freely sharedparticularly given that hackers already possess the information, Newman said. "Unfortunately, all the hackers already know everything about this," he said. "The hackers are some of the people who found these [vulnerabilities], and the hackers are the ones who reported them to Oracle, and theyre the ones already sharing exploit code on them. Theyre the ones who already have the information." Read more here about security researchers calling for additional info from Oracle. Newman said customers have been calling specifically seeking information on whether they should install patch 68 and what the issues are concerning workarounds, for example. "They havent been able to get the information from Oracle," Newman said. Gartner backs up Newman on the issue. "Gartner recognizes that making detailed information public could help hackers and lead to successful exploits," Gartners note says. "However, providing details of an exploit differs from offering information about the implications of not protecting yourself against that exploit. "We believe that Oracle is erring by refusing to discuss how vulnerable customers are if they do not apply the patch. System administrators do not have enough information to decide what to do (for example, which servers to prioritize or which data is most vulnerable), and this could delay the implementation of patches." They are two fine lines to walk: how often to send out patches, and how much information to reveal. At this point, Oracle is playing it safe on both. Check out eWEEK.coms for the latest database news, reviews and analysis.
These dates were chosen to maximize customers schedules, avoiding blackout periods when customers are, for example, closing books at the end of a quarter, Davidson said.