Database maker Oracle announced on Wednesday that the company's quarterly Critical Patch Updates (CPUs) will give administrators more guidance by providing a summary of the flaws fixed in the update and grading the threat posed by each issue.
The change in policy, announced on the company's blog, will start with the update due out on October 17. The company will grade the severity of each flaw using the Common Vulnerability Scoring System (CVSS), highlight flaws that are remotely exploitable by an unauthenticated user and summarize the vulnerabilities fixed by a patch.
"Oracle introduced these changes as the result of feedback we received from many of our customers," Eric Maurice, manager for security in the company's Global Technology Business Unit, stated in the blog. "We hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each CPU and help them obtain patching decisions from their senior management more quickly."
Security researchers have criticized Oracle in the past for the time the company has taken to fix vulnerabilities. In July 2005, security experts at Red Database Security outed six flaws, claiming that the company had more than 650 days to fix the security issues. Earlier this year, a second security company released details of a critical flaw after failing to convince Oracle to quickly fix the issue.
The latest move drew praise from Oracle watcher Peter Finnigan, who first noted the change in policy on Wednesday. "This is great news for Oracle customers and will hopefully enable more people to decide what is critical and also what needs to be patched," he said.
Posted by: Robert Lemos