Oracle Moves To Monthly Patch Schedule

Oracle made good on its promise to provide its first monthly security update by the end of August, posting fixes to scads of vulnerabilities in its core products.

The alert posted Tuesday on Oracle's Web site, outlined the patches that should be deployed to stifle security holes in numerous versions of Database, Application Server, Database Server, and Enterprise Manager.

The database vendor rated the Database Server and Application Server vulnerabilities as "high," its top ranking, and said that some of the flaws can be exploited by those without a valid user account (but requires access to the network). The Enterprise Manager vulnerabilities are rated as "medium" by Oracle, which added that they can be exploited only by people with a valid operating system user account.

The Database Server versions patched include Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4; Oracle9i Database Server 2, versions 9.2.0.4 and 9.2.0.5; and Oracle8i Database Server Release 3, version 8.1.7.4.

Application Server 10g, versions 9.0.4.0 and 9.0.4.1; Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1; and Oracle9i Application Server Release 1, version 1.0.2.2 are those affected by the security alert and patches.

Many of the vulnerabilities hark back to the beginning of the year, when Next Generation Security Software spotted more than 30 flaws, but demurred from going public until Oracle had patches in place.

Oracle has taken a page out of Microsoft's playbook by deciding to roll out security fixes on a set monthly schedule rather than release them individually. Microsoft debuted its monthly patching timetable last October.

The Oracle patches can be downloaded from Metalink, the company's online support service that's available only to registered users.