Forgot your password?
typodupeerror
Security

Oracle Patch Day Becoming Irrelevant 76

Posted by Zonk
from the patches-on-patch-day-seems-logical dept.
mocirac wak writes "Oracle's scheduled quarterly patch day is becoming more and more irrelevant. Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15. The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?" From the article: "... Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process. 'For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related,' Cerrudo said. 'They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability,' he added."
This discussion has been archived. No new comments can be posted.

Oracle Patch Day Becoming Irrelevant

Comments Filter:
  • Deal. (Score:5, Insightful)

    by gregfortune (313889) on Friday May 05, 2006 @11:18AM (#15270284)
    Just because they are a large, successful company doesn't mean schedules are solid and sufficient resources are made available. Microsoft is wildly successful, but faces the same problems. World of Warcraft is wildly successful, but faces the same problems. Ultimately, we still have people involved and people make mistakes. People estimate incorrectly. Stuff happens (c).

    If you have an alternative and they are able to serve you better, migrate. If not, suck it up and be thankful the mistakes of your vendor give you a well paying job.
    • Re:Deal. (Score:5, Insightful)

      by squidguy (846256) on Friday May 05, 2006 @11:36AM (#15270410)
      The difference is, security bugs in WoW cannot manifestly impact worldwide commerce (outside of Blizzard's books), national security and all the other things Oracle (and MSFT, unfortunately) are involved with.

      Either way, this is bad on Oracle's part.
      • The difference is, security bugs in WoW cannot manifestly impact worldwide commerce

        How long will this be the case for though? With the ever-increasing number of real-world businesses growing up around MOGs (paying real money for items, selling/leasing in-game land, etc...) how long will it be before cracks and exploits start having an effect on real-world money?

        For some, the security and integrity of the games involved will be as important to their business and profit as the operating systems they work

        • You're living in fantasy land.

          Games & virtual real estate will never impact the real-world economy signifigantly. Databases handle trillions of dollars worth of business transactions every year. Games will never reach that scale.
          • I have a small business. We generate traffic from search engines. A hiccup in a system (ours, our ISP's, Google's, Yahoo's, etc.) can cost us serious money, and potentially put us out of business and our employees out of jobs. Those that have businesses build around WoW can potentially lose money if Blizzard chokes on their mailing of the money, or other things beyond their control.

            Are these businesses significant on the scale of a wire payment from Wal-Mart -> Rubbermaid not going through, or a trans
            • Signifigant on a global scale, as in "manifestly impact worldwide commerce". Oracle bugs can cause signifigant affects on a global scale. A bug in WoW affects a much smaller part of the population.

              If every electronic database froze up tomorrow, the worldwide economy would be signifigantly damaged.

              If every WoW server crashed tomorrow, there would be very little impact on the worldwide economy.
              • What are they talking about? I just downloaded the patches for 64 bit Solaris 2 days ago from Oracle....
              • But further down the line, when there is a much larger amount of business based around games, when there are games specifically to provide and create business, a problem in a game would have a far larger effect.

                Obviously if every WoW server crashed tomorrow it wouldn't seriously effect the economy (though you might have a hard time convincing Blizzard of that). And of course the exploiting of a game tomorrow, or next year, isn't going to impact more than a few smaller businesses. But in ten years? Fift
            • The difference being you do not have SLAs with Blizzard that guarantee you 99.99% uptime, nor do you pay Blizzard an exorbitant fee every year to provide you with patches. You are relying on public systems with no guarantee of service. If you stake your livelihood on these systems, that's your own problem. This is a risk that you have accepted.

              It's a different story with Oracle. Many companies buy Oracle database software not because it is the best available (though this is pretty much the case anyway) but
      • I agree. But how do you remove the human element? Are you proffering an alternative? It's just life in the big software world. IBM, Sun, Apple and many others have had patch mishaps. How about Sony's nifty little cloaking app? Again, find an alternative and move or suck it up and do your best to deal. It is why we are employeed, after all.
    • Re:Deal. (Score:5, Insightful)

      by EnronHaliburton2004 (815366) * on Friday May 05, 2006 @11:55AM (#15270545) Homepage Journal
      There is a pretty big difference in Scale. You can't compare WoW to Oracle.

      An Oracle Database for a mid-sized website can easily cost hundreds-of-thousands of dollars. We pay Oracle Jockys a 6 figure salary to maintain the behemoth. It's critical to the business. For that price, I expect top-of-the-line support.

      I wouldn't expect stellar support for WoW -- it costs something like $20/month. I'm suprised you attempt to compare the two.

      The total license fees for Microsoft products for a 100-person office (100 workstations, Exchange, a dozen Windows Servers) is relatively low compared to the cost of the Oracle Database. From Microsoft, I expect good support-- the product needs to behave well, we need access to emergency support, etc.
      • Of course the two are different applications with a different effect. I mention WoW due to Blizzard's inability to manage patches properly.

        I mentioned MSFT for the same reason. Do you get good support from them? Better than MSFT? I hear they have a DB product they would like to sell you. If not, continue to use Oracle and deal with the mishaps they might have. That's why you have a job.
    • If not, suck it up and be thankful the mistakes of your vendor give you a well paying job."

      Way to troll... I'd never be thankful that the problems with software require me to spend more time with it. I didn't sign up on my job to "deal with bugs in software", I signed up to administer the damn thing. If the software worked the way it is supposed to, I'd have a hell of a lot more time to do more productive things, and a hell of a lot less stress. And I'm not speaking of Oracle specifically, this applies

  • Heaven Forbid! (Score:4, Insightful)

    by Enonu (129798) on Friday May 05, 2006 @11:20AM (#15270300)
    Heaven forbid that a company take its time testing a patch to make sure it's up to some level of standard. The poster even pointed out that historically, there've been problems with the patches in the past. Maybe patch day should move to quarterly updates for all but the most extreme patches in order to increate quality.
    • I meant to say "move to bi-anually", but I slipped there.
      • Re:Heaven Forbid! (Score:4, Insightful)

        by Oswald (235719) on Friday May 05, 2006 @12:16PM (#15270722)
        Actually, you probably meant to say "semi-annually," but that too ignores the point that Oracle should be allocating enough resources to patch vulnerabilities at the rate they are discovered. "Correct patches, delivered fast enough to keep up with the bugs," should be the standard, not "correct patches as fast as we can get around to them with what we've got handy."
    • Re:Heaven Forbid! (Score:5, Insightful)

      by Bacon Bits (926911) on Friday May 05, 2006 @12:05PM (#15270622)
      If you want to charge people $25,000 for your software, you damn well better patch promptly and completely.

      It's Oracle's responsibility. They they can't do it now, they need to invest in their patch development so that they do.

      • note that you are always allowed to use another [more] reliable database here. they set the price, you bought it, that's economics AFAIK.

        to give them a fair comment, i would say that i believe they have been doing a good job for quite a while and the security problems are not as problematic as it seems to many of the readers here.
        • i would say that i believe they have been doing a good job for quite a while and the security problems are not as problematic as it seems to many of the readers here.

          I'm really not sure I could agree with that.

          If you follow the bugtraq mailing list you'll have seen several recent posts expressing increasing dissatisfaction with the way that Oracle has handled security issues. Including several mentions of one bug being fixed whilst nearly identical (and also public) ones have been ignored.

          For a good exa

  • by FatSean (18753) on Friday May 05, 2006 @11:25AM (#15270332) Homepage Journal
    Anyone involved with software knows that NOTHING gets done on schedule. Smells of a marketing idea that got pushed onto the developers. I mean, it is a good idea...just not very practical.
    • How we got this far on the myth that software development can't be controlled is beyond me. Some old fasion project managment will keep any project on track, but we devs have managed to convince the managers that software development can't be estimated. Construct a Skyscraper and it's no problem to have a time line, but code an app... whoa, that has so many issues. Does construction have zero surprises along the way?

      The truth of the matter is development is slow from lack of focus, and it starts with us
      • Construct a Skyscraper and it's no problem to have a time line, but code an app... whoa, that has so many issues.

        Construction is mostly a repeatable activity with known materials, and hard, fixed requirements.

        Software development, on the other hand, oftne does not have the benefit of hard, fixed requirements. http://twasink.net/blog/archives/2004/10/if_archit ects_h.html [twasink.net] is the normal state of the software industry today.

        Construction (and engineering for that matter) are mostly about repetition. Repeating y
      • If you are cranking out yet another web application, or a standardized patterns-following data system, then you have a point.

        When you are chasing bugs and adding new features...these things are quite variable.

        Here's an analogy...wiring a car on an assembly-line takes constant time, but solving a wiring problem on an existing car takes variable time.
  • "Oracle promised them on May 1. Now they are saying some will come on May 10 and others will come on May 15. It's clear they are having big problems," Cerrudo said.

    He said Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process.

    "For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related," Cerrudo said.

    "Th

  • What happend to Larry's campaign that his products were unbreakable? No need to patch if your products are unbreakable. Notice how that campaign slowly just fizzed out?
  • by mabu (178417) on Friday May 05, 2006 @11:27AM (#15270344)
    I worked on a big project involving Oracle software and after a lot of research, we decided to only use the core database and write our own interfaces to more reliable, more secure open-source systems. When I discovered how convoluted the company's own product line and support process was, I dumped the stock. It doesn't surprise me one bit that they can't meet deadlines of this nature. The internal structure of the organization from my perspective was always a bloody mess.
  • by Anonymous Coward
    Though their database is their flagship product, they have been way too distracted with their substandard Oracle Applications suite. If they really want to do well, they should focus on what they do best and stop wasting their time trying to push poorly written web applications. (I should know, I have to use their worthless timecard and expense system every week.)
    • Oracle E-Business Suite.
      a.k.a.: "Look on my works, ye mighty, and have a chuckle at my goddamn expense."

      Singlehandedly destroyed our call center response times (was at under 1m:00s on a bad day, under 0m:15s on a good day, promptly jumped up to about 10m:00s, and there were no more good days), and after running it for about 8 months now, it still regularly has to go down for essential upgrades. Part of that is, no doubt, the company's IT bungling and inadequate testing, but Oracle's eBS sucks.

      It's horribly
  • From TFA (Score:2, Funny)

    by Aqua_boy17 (962670)
    "These aren't random complaints from unhappy researchers," Newman said, referring to the comments from Kornbrust and Cerrudo. "They need to admit their procedures aren't working and seek help getting it fixed."

    This Week on Ask Slashdot...

    'Larry' has a company that sells database software and he's trying to get developers to release security patches that are both trouble free and actually fix security holes and other problems...and then finally get them to do all of this on time.

    "Microsoft isn't good at
  • Good Thing? (Score:3, Insightful)

    by zaguar (881743) on Friday May 05, 2006 @11:38AM (#15270420)
    A lot of big business runs on Oracle. Governments, Banks, Corporations, etc. Rushing out a patch with fatal flaws, exploitable flaws would potentially cause more damage to the word than the worst predictions of Y2K. I am glad that Oracle are thoroughly testing the patches before they roll them out. I know the DBA's will test the patches, but there is no substitute for vendors testing the patches.
    • I'm not convinced that Oracle is doing a good (enough) job of testing their patches, or more accurately, they are not _able_ to do to a good job no matter how hard they try. Their support matrixes are huge, with many Oracle packages interacting with other Oracle software, along with the OS, and other vendors software. We caught a bug with a patch set, the first customors to find it. An older yet supported software version didn't want to play nice with a newer oracle application. I ment horrible service
  • When you have to pay as much as you need to to run oracle, patches released in a timely manner that actually fix things is part of customer service. If there is no customer service, there is soon no customers. The OSS database engines are gaining ground, and personally, I like the way patches and fixes are released thus far for F/OSS .... I'm seeing fewer and fewer reasons to pay for big software packages like Oracle, MS, etc.

    ROI is important, and bad patch schedules and releases is not good ROI...
  • by HarvardAce (771954) on Friday May 05, 2006 @11:44AM (#15270470) Homepage
    Is the timing of the patches really that much of an issue? Do people install the patches as soon as they are released? I only ask because at my company we are about 2 years behind in the patches (we are still using 9i and in some cases 8), due to an inherent distrust of the stability of a patch. Likewise, not many people are in a rush to install the latest service packs of Windows until all the flaws are worked out.

    I could be missing the point here, and these are minor (yet critical) patches, but if they are, how come they are taking so much time to develop?

  • Software updates can not be sheduled... It is impossible to do something in-time. But it is possible to do something, and then promote it like made in-time :)
  • by Matt Perry (793115) <perry.matt54@yah3.14159oo.com minus pi> on Friday May 05, 2006 @11:55AM (#15270546)
    Unofficial patches available here: Mirror 1 [postgresql.org]. Mirror 2 [mysql.com].

    ;-)

  • First, patches are inevitable for any application or system. Humans write code and humans make mistakes. Patches are like security incidents; if you think you don't have them (or in the case of patches, don't need them), you aren't looking hard enough. To the comment above about why patches are needed (and to all you "my system is totally secure" Mac-heads out there)...even OpenBSD, with all its code review processes for every release, has security vulnerabilities from time to time (go ahead, look them up).
  • Basically...this is not uncommon across the software industry.

    Most of the companies are not mature and entrenched with bureocracy. Staff probably turns over twice a year now when a decade ago devoted "well paid" developers worked long hours to make sure a patch or update was ready for release.

    Now from my perspective, as a DBA responsible for installing and overseeing the installation of software patches on database and application servers, I can't really say this is happening any longer.

    I don't sim
  • Lest we forget, Oracle as a database system is exponenetially more complex than Unix itself, and in fact will probably come to include a linux distro before its all over. Oracle is a funny company, they make REALLY REALLY good databases (no... I mean it), but then they go out and release buggy features with holes in em. The truth? Most of these holes are in shit like ONames (the oracle version of computer browser... Let me expand on this a bit, for 8i Onames had a security hole that was fixable by using the ip address instead of UNC names for target boxes. Easy to workaround, and really more of an annoyance). Long story short, Oracle's the BEST at databases, not because they have some great code team somewhere in a closet doing innovative things but because they've been working on the same core product since 1977.

    It's the same story each release, Oracle marketing trumpets up the latest and greatest Java Parser! then everyone ignores it and goes back to Listeners (which consequently have very few bugs at this point).

    So yeah, patches are important, and yeah I apply em, but with Oracle ONLY (and maybe Solaris) to me this is indeed not a big deal.

    chitlenz

  • by Fro Ingwe (523932) on Friday May 05, 2006 @12:25PM (#15270812)
    I'm an Oracle DBA by trade and was able to patch my test systems running Oracle 9iR2 within days of the scheduled release date.

    The article makes it sound like the target date was missed entirely, and while I know there are delays for some releases, others were made available as planned.

    Why do I get the feeling that most of the complaining here is by people who don't actually use the product?
    • Agreed. When I saw this story, I figured I'd missed something, since my 9i DBs have had the patch since release.

      Metalink note 360465.1 has a table of patch levels required for database versions and patch release dates by OS. For 9.2.0.6, 9.2.0.7, 10.2.0.1 it looks like patches are available, and 10.2.0.2 is only awaiting the patch for the HP Itanium platform ( expected today... I'm sure both sites who use Oracle on HP Itanium will be happy ).

      There is some delay in other oracle versions on other platforms.
    • I just went through patching 4 databases with CPUApril2006 earlier this week. It took a few service requests to Oracle to get some of the error messages that were generated as part of the process identified as benign, and I've still got one relatively minor outstanding issue, but it went with relatively little fanfare. I'll be applying the same patchset to a 10gR2 forms and reports standalone instance soon and expect little trouble.

      Yes, Oracle's slow on releasing patches sometimes. But their support prog
    • Because everyone uses MySQL... Didn't you know, open source is the only way to go with databases.. Because a thousand cooks with no direction is much better at developing database software than one company that's been doing it for decades! Of course, you might also get what you pay for.
  • Maybe they are trying to live up to that old "unbreakable" campaign. If they don't release any patches, it's tough to break anything.

    If you think this applies to just their database software, think again. I've had Oracle ship me gold cut CDs for their OAS app server on several occasions and have seen Oracle Finanaicals implementations go through over 1000 patches over the course of a year.
  • FTFS: But they are amateurs on everything security related.

    Exactly - because only amatuers would force their customers to use cscript [wikipedia.org] as part of the patching process.

    M$ and Firefox manage to release security patches that install themselves. Why can't/won't Oracle do the same?

    Maybe it's job security for that abortion known as MetaLink [oracle.com].

    Or maybe it's so these clowns [dba-oracle.com] can charge Oracle's customers $1000 an hour to not fix anything.

    • M$ and Firefox manage to release security patches that install themselves. Why can't/won't Oracle do the same?

      Interestingly enough, jsut a few years ago, MS SQL Server patches were shipped as archives with updates binaries and you had to replace each file by hand and I think in some cases, run scripts. When slammer came out and borked 80% of the worlds SQL servers, Microsoft realized that the monkeys running their products were probably too stupid to manually apply the patches, and changed their patches so
  • At first glance, I thought the headline was "Orrin Hatch Becoming Irrelevant."

    One can dream, I suppose.
  • This is just one more example of how offshoring development causes disorganization and a lack of control in timeliness and quality of product. You can not base complex software development in remote locations because "it's cheaper" and expect not to have problems with issues related to poor communication, timeliness and product quality. There is too much loss of control of the development process and significantly less motivation for quality and success when there is little downside to failure. The comp
  • Oracle is too busy buying competitors and fusing disparate technologies together to be bothered with unexciting stuff like security patches. Hiring entry level developers and making them do patches is a good way for them to learn the Oracle. ;-)
  • Go check out Blue Lane Technologies... Apparently they emulate patches on the network so you don't have to touch the servers themselves. They've also already got a patch out that covers ALL THE AFFECTED ORACLE RELEASES. Yeah, I'm impressed too.

"The Amiga is the only personal computer where you can run a multitasking operating system and get realtime performance, out of the box." -- Peter da Silva

Working...