For first time, Oracle announces quarterly patch plans

This marks the first time the database giant has offered a peek into its scheduled security updates in hopes of helping "customers plan for their forthcoming patching effort," Duncan Harris, senior director of security assurance, said Thursday on the Oracle Global Product Security Blog.

The "pre-release announcement" is similar to the approach Microsoft takes five days before its so-called Patch Tuesdays, delivered the second Tuesday of each month.

The brunt of the patches - 27 - is scheduled for Oracle Database vulnerabilities, 10 of which can be remotely exploited without user authentication. Another 12 fixes are slated for Oracle Application Server flaws, eight of which are open to remote attack.

Fixes also will be issued for the E-Business Suite, Enterprise Manager and PeopleSoft Enterprise solutions.

The new notification initiative follows a decision in October by Oracle to use the Common Vulnerability Scoring System (CVSS) to rate bugs, identify those flaws that are critical and remotely exploitable, and include a "high-level" overview of each defect and fix - again similar to Microsoft's approach.

Oracle has made efforts to improve communication with customers over security issues. At the start of last year, the company analyst-oracle-not-ball was heavily criticised within the industry because of the large numbers of fixes it was issuing, for delaying the release of other fixes and for not recommending necessary workarounds.

Click here to email reporter Dan Kaplan.

announcesfirstfororaclepatchplansquarterlysecuritytime