Oracle’s April patches late….



Oracle released 36 patches in mid-April as part of their quarterly patch cycle…. unfortunately, not all of the patches were released. Apparently they hadn’t finished testing and users were advised to look for the updates around the first of May. Well, guess what – they’re not out yet and the word is that they won’t be until May 15th. This is one example of why I think it’s unwise to say that patches will be released on X date on a regular schedule. They should be releasing them as soon as they have the patch tested and ready.


It’s like Microsoft’s patch cycle. Yesterday was the big day, what if a vulnerability hits today, it would likely be something MS has been notified of, but since it wasn’t widely known they’ve held out. Yes, that sounds cynical, but I can’t count how many times I’ve read people document when they told MS about an issue versus when it was addressed. (Or when it was sort of addressed.) This is one of the things that makes me suspect that many companies still don’t “get it.” Here’s the ideal…. Company is notified of bug in software, it’s supposedly serious. They test and confirm, they figure out how they can fix it with the least “breakage” of other functionality as possible, they start testing. (Perhaps even enlisting the original reporter to test the fix.) The next step MIGHT be wider testing if all goes well. All testing goes well release.

What I’m afraid happens is…. Company is notified of bug in software, supposedly serious. They test and confirm. No public announcement has been made, so it’s put on the list of things to fix. Public announcement is made months later to encourage action. Company scrambles out patch with some in house testing… of course, if no public announcmenet is made then, eventually it rises to the top of the bug list and is patched and then tested and the patch is released during the next patch cycle. All of it trusts that no one else knows about the problem.

The recent (April update) Explorer critical update is an example of a patch that I REALLY wonder how much testing it got. It seems as though there were WIDESPREAD problems with most anyone that had HP easyshare software installed. I don’t recall seeing ANY upfront compatibility warnings, all that I saw came out a few days after the fact.

Of course, if companies didn’t have the “Routine” patch cycle date, then people wouldn’t know when to expect updates. Well, let’s face it we don’t know when to expect zero-day exploits either. Setup a e-mailing list that’s used for software security updates and let them know through that. Then just release them as soon as they’re ready. For that matter, set up an e-mail list for test patches so that they can get wider testing by people that are well-informed of the consequences of testing security patches. I guess where I’ve gone wrong with all of this is that makes it all an open process which most companies don’t want to even think of.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft warns against unofficial patch I didn't exactly expect a parade staged by Microsoft for the writer of the unofficial patch for this WMF vulnerability, but.... eweek tells us that Microsoft says "beware of unofficial WMF patch" It also mentions that behind the scenes Microsoft officials are furious that the threat has been overblown. Personally,......
  • Mandriva Linux 2006 Beta 2 According to Mandrivaclub, the second beta in the Release cycle for Mandrive (formerly Mandrake) linux 2006 has been released. Release notes on this beta are available here. Information on the release schedule here in the Mandriva Wiki. Bug reports should be submitted for all those testing it. This is a......
  • Microsoft October 2006 patch Tuesday The first thing I should mention is that this months update from Microsoft is the last for XP SP1 users should plan a migration path to SP2 to keep getting updates to XP. Multiple vulnerabilities this month have been patched in Office There are 4 advisories, but a total of......
Blog Traffic Exchange Related Websites
  • Doug Fuller Update Legal Test The New Agency Test aka Legal Test has been updated via the blog: Legal Test Update We have obtained service on 12 of the suits – and have sent “proof of service” back to the courts. Another 41 have been formally entered on the dockets of the court in and......
  • IBP Software Review search engine optimizationThe IBP software is very popular with big companies. Some of the companies known using it have been Ebay and Caterpillar but what is more important is how is it going to benefit you? The main benefits that the company claims is that it is a full SEO......
  • About Getting Folks Tested for Gluten Sensitivity...   I just ran across a great article, "20+ REASONS TO GET TESTED FOR GLUTEN ISSUES", compiled from various sources by Shirley Braden of the King George Celiac and Gluten Intolerance Group (KGCGIG) and posted on the Gluten Free Easily Blog.   If you are like me, you might have had......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site