"News Analysis: An eWEEK tour of Oracle's security practices reveals the database maker's stance on researchers' findings as well as how seriously Oracle is taking customers' complaints as it battles to reduce patch time while improving quality.
Brace yourself: Another quarterly CPU (Critical Patch Update) is due out from Oracle Corp. on Jan. 17."
This is a very enlightening three page article by Lisa Vaas of eWeek. It starts by saying that the latest swathe of bugs reported to Oracle by Alex instead of being 252 actual bugs is in fact around 10. I don't know who is right on that score. The key really is that some bugs are true bugs and i guess some are not, the exact figures probably will never be clarified. To do so would mean Alex trying to write exploits for all of them and I guess he doesn't have time for that. The method he used was pretty basic to say the least to find these bugs so i guess its bound to have false positives.
The article goes on to discuss in detail the issues of patch quality, patch fix times and also interviews some of the key players inside Oracle. This is a great article and gives some good insight into the processes and issues of Oracle security patches.
This looks, on the face of it like Oracle are finally turning the corner on fixing security bugs quicker and with better quality. I commend Mary Ann for allowing her people to talk to the press about the inner workings of the fix process and for trying to put some confidence back for customers.