Oracle Corp. Thursday announced that it is moving to a quarterly patch release schedule in response to user demands for a more predictable process for applying needed security fixes to the company"s software. The move comes amid continuing criticism of the company"s handling of a recent major security update by analyst firm Gartner Inc. The first set of patches under Oracle"s new schedule will be released Jan. 18 via the company"s support Web site, with subsequent releases slated for April 12, July 12 and Oct. 18.

The quarterly Critical Patch Update schedule will allow users to better plan for security fixes while at the same time not exposing them to undue risks, Mary Ann Davidson, the company"s chief security officer, said at a news conference earlier today. "We think there"s a number of benefits to doing it this way. Based on a lot of discussions (with users) we feel confident that this will strike a good balance."

Under the Critical Patch Update program, Oracle will release highly integrated patches that combine fixes for multiple high-priority vulnerabilities, Davidson said. The patches will be cumulative, meaning users who miss applying patches one quarter can apply a cumulative update the following quarter that addresses both the previous problems and any new ones that might have cropped up, Davidson said.

All of Oracle"s major products will be covered, she said.

Oracle"s move to a quarterly schedule "is going to make it a lot easier for companies to plan for these (fixes) and will be well received," said Rich Niemiec, former president of the International Oracle Users Group and CEO of TUSC, a Chicago-based consultancy. The "announcement today should solve a lot of issues with security patches" that Oracle has been having, he said.

"It"s good news for users," agreed Howard Muffler, director of enterprise services at Embry-Riddle Aeronautical University in Daytona Beach, Fla., which uses a wide variety of Oracle products. Having a predictable update schedule will eliminate the "waiting game" for companies when it comes to Oracle security patches, Muffler said.

Oracle"s move comes less than a week after Gartner issued an advisory blasting the company for its failure to disclose enough details of the vulnerabilities addressed by a critical patch released by Oracle in August. Patch 68 was given the highest severity rating by Oracle and affects several of its products, including its database and application server products. Oracle reissued an alert relating to the patch in mid-October after a proof-of-concept exploit began circulating on the Internet.

But Oracle"s refusal to reveal the consequences for users that don"t apply the patch increases the risk for users, said Rich Mogull, one of the co-authors of the Gartner advisory. "Oracle is claiming that they don"t want to reveal more information because hackers will take advantage of it," Mogull said. "That"s a theory that"s 10 to 20 years out of date. If you don"t tell the good guys what the problem is, they don"t have a way to evaluate the severity" of a problem, he said.

Gartner, which advises its clients to install the patch, has heard from several Oracle administrators who are nervous about installing the patch without knowing what it does, Mogull said. "If something breaks, they don"t know where to start to fix it -- so they have to go back to Oracle," Mogull said.

Davidson, however, defended Oracle"s stance and said the company had released the information necessary for administrators to install the patch. The goal is to try and provide enough information to users without giving hackers a "road map" for taking advantage of flaws, she said.