This is the first time Oracle is patching Java on the same quarterly cycle as other products, and perhaps the first time I have had something positive to say about Oracle security.
The October 2013 CPU covers fixes for:
|Oracle Database Server||Oracle Fusion Middleware|
|Oracle Enterprise Manager Grid Control||Oracle E-Business Suite|
|Oracle Supply Chain Products Suite||Oracle PeopleSoft Products|
|Oracle Siebel CRM||Oracle iLearning|
|Oracle Industry Applications||Oracle Financial Services Software|
|Oracle Primavera Products Suite||Oracle Java SE|
|Oracle and Sun Systems Products Suite||Oracle Virtualization|
All of these updates are important, but arguably Java is the most important of all of them.
51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser. Worse yet, all but one are remotely exploitable without authentication.
Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.
- Determine whether you have Java installed and enabled in your web browser. Visit http://java.com/en/download/installed.jsp and click “Verify Java version”. If your browser prompts you to install Java, close the tab; you’re Java-free. If it loads the applet, check your version. Be sure you are running Java 7 update 45 (1.7.0_45), Java 6 update 65 (1.6.0_65) or Java 1.5.0_55.
If you must have Java installed you ought to be running Java 7 (1.7). All previous versions are not officially supported and present a greater security risk.
- If Java is installed and out of date, be sure to update it. Windows users can open the Java Control Panel, select the Update tab and choose Update now. Mac users can check for updates using the integrated Apple updater. Linux users should follow normal procedures for system updates provided by their distribution.
- Most importantly, if you don’t need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn’t belong in your browser. If you’re not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions.
I heard that Oracle won the America’s Cup recently which leads me to give them some unsolicited advice.
Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash.
3+ billion devices will thank you.
I asked a colleague and my wife how many of the 51 vulnerabilities they thought were remotely exploitable in this quarter’s patch. Their responses? 50 and 48.
If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly. Microsoft and Adobe both patch monthly and together have less than 50 vulnerabilities fixed per quarter on average.
Oracle, it’s time to step up your game.
Photo of Oracle’s America’s Cup boat creative commons licensed from Donan Raven.