Microsoft is also an obvious target for malicious hackers, who often put the company's flaws in the public eye. For instance, users earlier this month pressured the company to release a patch for the so-called Windows Metafile flaw in advance of its usual monthly security updates because attackers were actively trying to exploit the vulnerability.

Because of those factors, 'Microsoft is held to a higher standard, which lets other vendors get away with practices that Microsoft would have gotten creamed for,' Pescatore said. Oracle, for one, rarely divulges the details of the vulnerabilities in its products as completely as Microsoft does with its flaws, according to Pescatore. That makes it hard for Oracle users to do risk assessments or prioritize their patching plans, he said.

'Oracle has sort of this 'Trust me, I know what I'm doing' attitude with their customers,' said Jon Oltsik, an analyst at Enterprise Strategy Group Inc. in Milford, Mass. 'With the security community, they've got an antagonistic attitude. As more difficult or esoteric attacks begin to happen, that's not a recipe for success.'

Patch quality also remains a big issue for Oracle, said David Litchfield, managing director of Next Generation Security Software Ltd., a security research firm in Surrey, England. 'Every critical patch update so far has been flawed in some fashion or the other and has been rereleased multiple times,' said Litchfield, whose firm has uncovered several vulnerabilities in Oracle products, including one covered by this week's patch release.

Vendors such as Cisco, Sun and Red Hat Inc. also aren't as forthcoming as Microsoft in sharing vulnerability information that can help users mitigate their exposure to threats, said Michael Sutton, director of VeriSign Inc.'s iDefense Labs unit in Reston, Va.