Oracle releases 127 security fixes, 51 for Java alone

Filed Under: Featured, Java, Oracle, Vulnerability

Patch Tuesday - now for 28 products in the Oracle stable It is Critical Patch Update (CPU) time for Oracle customers, which in one way or another is nearly everyone.

This is the first time Oracle is patching Java on the same quarterly cycle as other products, and perhaps the first time I have had something positive to say about Oracle security.

The October 2013 CPU covers fixes for:

Oracle Database Server Oracle Fusion Middleware
Oracle Enterprise Manager Grid Control Oracle E-Business Suite
Oracle Supply Chain Products Suite Oracle PeopleSoft Products
Oracle Siebel CRM Oracle iLearning
Oracle Industry Applications Oracle Financial Services Software
Oracle Primavera Products Suite Oracle Java SE
Oracle and Sun Systems Products Suite Oracle Virtualization
Oracle MySQL

All of these updates are important, but arguably Java is the most important of all of them.

51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser. Worse yet, all but one are remotely exploitable without authentication.

Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.

My advice?

  1. Determine whether you have Java installed and enabled in your web browser. Visit http://java.com/en/download/installed.jsp and click "Verify Java version". If your browser prompts you to install Java, close the tab; you're Java-free. If it loads the applet, check your version. Be sure you are running Java 7 update 45 (1.7.0_45), Java 6 update 65 (1.6.0_65) or Java 1.5.0_55.

    JavaChecker500

    If you must have Java installed you ought to be running Java 7 (1.7). All previous versions are not officially supported and present a greater security risk.

  2. If Java is installed and out of date, be sure to update it. Windows users can open the Java Control Panel, select the Update tab and choose Update now. Mac users can check for updates using the integrated Apple updater. Linux users should follow normal procedures for system updates provided by their distribution.

    JavaUpdateCP437

  3. Most importantly, if you don't need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn't belong in your browser. If you're not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions.

CCAmericasCupOracle-Donan.raven175I heard that Oracle won the America's Cup recently which leads me to give them some unsolicited advice.

Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash.

3+ billion devices will thank you.

I asked a colleague and my wife how many of the 51 vulnerabilities they thought were remotely exploitable in this quarter's patch. Their responses? 50 and 48.

If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly. Microsoft and Adobe both patch monthly and together have less than 50 vulnerabilities fixed per quarter on average.

Oracle, it's time to step up your game.

Photo of Oracle's America's Cup boat creative commons licensed from Donan Raven.

, , ,

You might like

7 Responses to Oracle releases 127 security fixes, 51 for Java alone

  1. Sayville Library · 373 days ago

    Wow, finally someone important (you) said it: Ellison spends more time and money on fluff than taking care of technology issues. At least Sun was pretty much all technology, just not business savvy.

  2. Spryte · 373 days ago

    Regarding your advice:

    Item #1 requires Java be enabled in your browser... something item #3 you say is not recommended.

    Try this instead:

    Start > Run > cmd

    Enter the following command: java -version

    and there is your latest installed version.

    • Chester Wisniewski · 373 days ago

      Correct. That will work from bash on Linux and OS X as well. Many of our readers are not comfortable with the command line, so I try to avoid using it in my advice.

      The point of #1 is that if Java is NOT installed in your browser, than all is well. You don't need to check the version, you are already safe.

      • I agree. You don't tell the average user to launch a terminal or command prompt. You don't want to scare them into ignoring security.

  3. Rosita · 373 days ago

    I installed Java 45 but POGO still is not loading and Java does not verify.

    I just get a box with an X in the upper left corner.

  4. notagain · 372 days ago

    How do I remove the Ask Toolbar again?

  5. sandra · 119 days ago

    I want java, I have it installed, in my browser says it is installed. I have updated java, but pc says my security settings won't let me have it, how can I change that ? I have looked at my settings and I have no idea what to change :(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.