Oracle moves to monthly patching

Oracle released a host of patches this week as it moves to a monthly release schedule.

The database giant made patches related to versions 10g, 9i and 8i of its Database Server and versions 10g and 9i of its Application Server available on Tuesday via its MetaLink website.

Some of the patches fix issues that have been outstanding for seven months.

UK security company Next Generation Security Software (NGSS), which had reported some of the vulnerabilities to Oracle, described them as "critical".

"The vulnerabilities range from buffer overflow issues, PL/SQL Injection, trigger abuse, character set conversion bugs and denial of service," said NGSS.

The firm also said it would give administrators a three-month window to test and apply the patches released on Tuesday before publicly releasing details of the flaws on 31 November.

Oracle announced last month that it planned to release all patches on a monthly basis, but has still to set to a regular date. Last October, Microsoft began issuing software patches on a single day each month.

However, Butler Group senior research analyst Mike Thompson criticised the move to monthly patching.

He argued that administrators like to fix flaws when demand for computing resources is low, rather than all at once, to prevent systems being "unavailable" at important times.

"What are administrators supposed to do for the other 29 days? This [patch-day trend] is absolutely for Microsoft's and Oracle's benefit so they effectively have a clear month when they are not hassled by users," he said.

Ronan Miles, Oracle UK User Group chairman, disagreed. "This is a step in the right direction," he said.

"We want Oracle to say to the customer who identifies the flaw or vulnerability on the day, 'here's the fix,' while everybody else gets the family of fixes that work best together after testing on the 30th day."