Oracle moves to monthly patching schedule

Weeks after coming under criticism for sitting on patches for multiple holes in its database software, Oracle Corp. has announced that it is moving to a monthly patch release schedule.

The company said that it is moving to the monthly model — which has already been adopted by Microsoft Corp. — because it believes that a predictable patch release schedule will be more convenient for its users.

"While it is challenging to produce all patch sets on a fixed schedule, we are confident that a regular patch schedule is the right thing for our customers," the Redwood Shores, Calif., company said in a statement released this week.

Oracle did not say when the monthly schedule would begin, and a representative for the company could not comment further on the matter.

The enterprise software vendor has generally been releasing patches when they are ready for all supported releases and platforms.

The change comes amid recent scrutiny of Oracle's security processes. Earlier this month, U.K. security researcher David Litchfield, of Next Generation Security Software Ltd., criticized the company for delaying the release of patches for 34 vulnerabilities discovered in its database software. At the time he said that patches had been ready for two months but they had not been released.

The move to monthly fixes is aimed at injecting some predictability to the patching process, and allows companies to test the fixes at once, rather than doing them one by one as they are released, according to Carole Theriault, a security consultant at Sophos PLC.

"It's a very good way to do it if you're not dealing with very critical patches," Theriault said. "However, customers should be given the option of downloading a bug fix right away so they can deal with critical issues as soon as possible, and test patches before they go live on their system."

Microsoft moved from a weekly to a monthly patch release schedule late last year, in an effort to streamline its distribution and reduce the number of headaches faced by customers who had to test and apply patches on a weekly basis.

Software makers in general have tried to become more responsive to their customers' security needs amid the increase in threats, Theriault said.

"Everyone has upped their games," she said. "It's just good business sense."

Related Content

Oracle's patch update offers 41 fixes
Of the vulnerabilities, 15 could be exploited remotely without a user name or password. Plus, why it pays to hold off installing modules you don't need

Getting it right when it comes to IT security
Just when we think Microsoft finally understands the importance of security, we get this WMF fiasco. Here was a situation with all the makings of a catastrophe: a zero-day attack based on a long-standing design flaw, discovered at a time when everyone’s on vacation, exploited using something as innocuous as a picture on a Web site.

Oracle to deliver security patches quarterly
In a move intended to be customer focused, Oracle Corp. will provide security patches for all of its products on a quarterly basis starting Jan. 18.