Oracle Security Alerts Get Overdue Makeover

Oracle plans to adopt a vendor-neutral vulnerability scoring system as part of a major revamp of its difficult-to-read quarterly security bulletins.

Oracle plans to make a significant change to the way product flaws are described in its security bulletins, an admission of sorts that the quarterly alerts were almost impossible to understand.

Beginning with the Oct. 17 release of the scheduled CPU (Critical Patch Update), the Redwood Shores, Calif., database vendor will start adding severity scores to the bulletins along with an executive summary of the flaws being patched and a new section highlighting bugs that are remotely exploitable without authentication credentials.

The company will use the vendor-neutral CVSS (Common Vulnerability Scoring System) standard to compute severity scores strictly from metrics and formulas.

Oracle will offer two CVSS scores—on a scale of 1 to 10—to help customers determine which flaws are considered high risk.

The CVSS scoring system, the brainchild of the Department of Homeland Securitys National Infrastructure Advisory Council, has struggled to gain adoption since it was unveiled in 2005, but Oracles support could turn out to be a huge boost.

/zimages/6/28571.gifClick here to read more about the CVSS scoring system.

In the past year, CVSS scores have started appearing in advisories from companies such as Cisco Systems, Qualys, Nessus and Skype.

In addition, the National Institute of Standards and Technologys National Vulnerability Database has completed CVSS scores for more than 15,000 vulnerabilities in its system.

Microsoft remains a significant holdout, relying instead on its proprietary flaw-rating system that describes vulnerabilities as "critical," "important," "moderate" or "low."

According to Darius Wiles, senior manager for security alerts at Oracle, the use of CVSS was driven by customer demand.

"This gives us some new features that will be very helpful to customers. They want a way to rank vulnerabilities based on importance and severity," Wiles said in an interview with eWEEK.

In the new-look bulletins, Oracle will list the highest-ranked CVSS scores at the top, offering a quick overview of the flaws the company considers the most dangerous.

"Well calculate the base score and provide guidelines for customers to understand CVSS. Over time, we think this will be the standard way to issue an advisory," Wiles said.

The bulletins will also feature an extra column that explains whether vulnerabilities can be exploited remotely without user name and password authentication.

"Well simply say yes or no to give customers some instant guidance on these flaws that present a higher risk. Its a way to flag the serious flaws and put the information right at their fingertips," Wiles said.

The third change will see an executive summary added to the CPU alerts, detailing whats being fixed in tabular form. The summaries will be released separately for each product suite, Wiles said.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.