Wednesday, January 21, 2015

Patch Now!

So two guys walk into a bar.  They're both talking like pirates and dressed like pirates.  The bartender asks...

No, wait, that's not the kind of patch we're talking about today.  Sorry, folks.  We're talking about a patch for your software...a fix or an update for software you already have in place.  Did you know Oracle puts out Critical Patch Updates ("CPU"s) for all their project on a regular basis?  You can read about Oracle's CPUs here.  Clicking on the link for any CPU listed will give you more information about the contents of that patch.

Now there's one important point you need to know.  It's that word "Critical" that Oracle uses in the term "Critical Patch Update".  Folks, when Oracle says "Critical", they're not kidding around.  Both important and urgent.  Security improvements, bug fixes, compatibility upgrades, new functionality...any and all can show up in a CPU.  So, in terms of applying patches, time is of the essence.  This is especially true with security fixes.  Note Oracle's language on the subject:

Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

Just yesterday, we saw a timely example demonstrating the urgency of applying a CPU as soon as it is released.  David Litchfield (@dlitchfield) is a pretty brilliant security researcher when he's not taking pictures of sharks.  He recently spotted a pretty significant security hole in the Oracle database.  Requires certain circumstances and certain versions of the database, but it's still pretty significant.  So...David turned his find into Oracle.  The fix was issued in the Oracle CPU released yesterday, January 20.  You can read David's analysis of his find and the fix, along with the 160+ other security patches in this latest CPU, here.  A great perspective in addition to the description Oracle provides.

Now, y'all have read or heard me say in the past that I consider the Oracle database to be the most rock-solid, reliable database available.  Period.  This recent incident does not change my opinion on that one iota.  At the same time, it reinforces my opinion that software is complex stuff that requires continual improvement...this is just another example of that.  In order to use the stuff, you have to stay least on the CPUs.

If you use an Oracle database, you really should apply this CPU.  Like now.  Same rule applies to all Oracle CPUs. Patch now!

No comments: