No More Details

By Lisa Vaas  |  Posted 2004-11-18 Print this article Print

The patch release schedule, due to begin Jan. 18, will encompass patches for all Oracle products, including Application Server, Oracle Database, Oracle E-Business Suite, Oracle Enterprise Manager and Oracle Collaboration Suite. The patches will be available via Oracles MetaLink support site. Subsequent patches will be issued on April 12, July 12 and Oct. 18, with interim patches possible in the eventuality that serious, critical vulnerabilities arise, Oracle said.
These dates were chosen to maximize customers schedules, avoiding blackout periods when customers are, for example, closing books at the end of a quarter, Davidson said.
The database giant has no plans to increase the amount of detail it gives on patches, however, according to Davidson—an omission that some call regrettable. Analyst firm Gartner earlier this week issued a report in which it bemoaned Oracles refusal to provide more detail on the consequences for users if they fail to apply security patch 68. According to the research note, Oracle declined to say whether the vulnerabilities affect older, nonsupported versions. "At worst, records in every Oracle database you own could be vulnerable," the report said. Davidson defended Oracles policy of keeping details close to the vest, saying that the company is walking a fine line between informing customers and giving hackers the information they need to exploit a given flaw in the wild. "Our position has always been to strike a balance between providing enough information so customers know what the risk is for not applying a patch, and not giving people information to crack systems," she said. "Its certainly true that, as part of our ongoing discussions over the last year on moving to this patch model, we continue to talk about what is the right amount of information and what you need to decide whether you should apply the patch. "That is not the same level of detail that some in the more technical research community want to see, but our primary focus is serving customers," Davidson said. Its true: The more technical security research community would indeed like to see more information freely shared—particularly given that hackers already possess the information, Newman said. "Unfortunately, all the hackers already know everything about this," he said. "The hackers are some of the people who found these [vulnerabilities], and the hackers are the ones who reported them to Oracle, and theyre the ones already sharing exploit code on them. Theyre the ones who already have the information." Read more here about security researchers calling for additional info from Oracle. Newman said customers have been calling specifically seeking information on whether they should install patch 68 and what the issues are concerning workarounds, for example. "They havent been able to get the information from Oracle," Newman said. Gartner backs up Newman on the issue. "Gartner recognizes that making detailed information public could help hackers and lead to successful exploits," Gartners note says. "However, providing details of an exploit differs from offering information about the implications of not protecting yourself against that exploit. "We believe that Oracle is erring by refusing to discuss how vulnerable customers are if they do not apply the patch. System administrators do not have enough information to decide what to do (for example, which servers to prioritize or which data is most vulnerable), and this could delay the implementation of patches." They are two fine lines to walk: how often to send out patches, and how much information to reveal. At this point, Oracle is playing it safe on both. Check out eWEEK.coms for the latest database news, reviews and analysis.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel