The First Ever Critical Patch From Oracle
In its first Critical Patch Update in 2007, Oracle tackles 51 different security vulnerabilities. Though it may appear to be a high number, it is less than past fixes, partly due to the new reporting methods of the company.
The 51 patches make it one less than what the company promised to release at the time of posting its first ever pre-announcement bulletin, with 26 in the company's flagship database. Among other patched products, are its Application Server, e-Business Suite and Applications, Enterprise Manager and People Soft Enterprise and JD Edwards EnterpriseOne.
Security manager for Oracle Eric Maurice on a corporate blog wrote about the detection of an issue in one of the database fixes for several database versions. In keeping with their policy, the fix was removed from the January CPU. Efforts are underway to address the issue and release the fix on all supported database versions for the next CPU in April.
In making pre-announcement of the patches for future updates and furnishing extensive details on what they would involve, the intention of the company is to help customers become more prepared for protecting their data.
Maurice explained that the changes were introduced by Oracle based on the response from customers. The changes are an attempt to help customers evaluate the importance of the vulnerabilities corrected with every update, apart from helping with acquiring patching decisions from their senior management much faster.
The company believes that the changes would eventually help boost security for clients with a standard procedure to vulnerability scoring as well as more efficient internal communication.
The company has been criticized in the past for subjecting customers to bombardment of a flood of security updates at one time. However, update procedures of the company have started being altered for easier deployment of the patches.
For instance in October 2006, for the very first time documentation along with its updates was issued by the firm to provide comprehensive information on vulnerability for affected IT departments. Apart from the October patches with not less than 101 fixes, severity ratings from the firm were provided for the first time.
Now the compelling advice from the company is for users to apply the fixes at the earliest. April 17, 2007 is the date for the next patch release.
Related article: THE SPAM MAFIA
» SPAMfighter News - 20-01-2007