It is Critical Patch Update (CPU) time for Oracle customers, which in one way or another is nearly everyone.
This is the first time Oracle is patching Java on the same quarterly cycle as other products, and perhaps the first time I have had something positive to say about Oracle security.
The October 2013 CPU covers fixes for:
|Oracle Database Server||Oracle Fusion Middleware|
|Oracle Enterprise Manager Grid Control||Oracle E-Business Suite|
|Oracle Supply Chain Products Suite||Oracle PeopleSoft Products|
|Oracle Siebel CRM||Oracle iLearning|
|Oracle Industry Applications||Oracle Financial Services Software|
|Oracle Primavera Products Suite||Oracle Java SE|
|Oracle and Sun Systems Products Suite||Oracle Virtualization|
All of these updates are important, but arguably Java is the most important of all of them.
51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser. Worse yet, all but one are remotely exploitable without authentication.
Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.
- Determine whether you have Java installed and enabled in your web browser. Visit http://java.com/en/download/installed.jsp and click “Verify Java version”. If your browser prompts you to install Java, close the tab; you’re Java-free. If it loads the applet, check your version. Be sure you are running Java 7 update 45 (1.7.0_45), Java 6 update 65 (1.6.0_65) or Java 1.5.0_55.
If you must have Java installed you ought to be running Java 7 (1.7). All previous versions are not officially supported and present a greater security risk.
- If Java is installed and out of date, be sure to update it. Windows users can open the Java Control Panel, select the Update tab and choose Update now. Mac users can check for updates using the integrated Apple updater. Linux users should follow normal procedures for system updates provided by their distribution.
- Most importantly, if you don’t need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn’t belong in your browser. If you’re not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions.
I heard that Oracle won the America’s Cup recently which leads me to give them some unsolicited advice.
Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash.
3+ billion devices will thank you.
I asked a colleague and my wife how many of the 51 vulnerabilities they thought were remotely exploitable in this quarter’s patch. Their responses? 50 and 48.
If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly. Microsoft and Adobe both patch monthly and together have less than 50 vulnerabilities fixed per quarter on average.
Oracle, it’s time to step up your game.
Photo of Oracle’s America’s Cup boat creative commons licensed from Donan Raven.
7 comments on “Oracle releases 127 security fixes, 51 for Java alone”
Wow, finally someone important (you) said it: Ellison spends more time and money on fluff than taking care of technology issues. At least Sun was pretty much all technology, just not business savvy.
Regarding your advice:
Item #1 requires Java be enabled in your browser… something item #3 you say is not recommended.
Try this instead:
Start > Run > cmd
Enter the following command: java -version
and there is your latest installed version.
Correct. That will work from bash on Linux and OS X as well. Many of our readers are not comfortable with the command line, so I try to avoid using it in my advice.
The point of #1 is that if Java is NOT installed in your browser, than all is well. You don't need to check the version, you are already safe.
I agree. You don't tell the average user to launch a terminal or command prompt. You don't want to scare them into ignoring security.
I installed Java 45 but POGO still is not loading and Java does not verify.
I just get a box with an X in the upper left corner.
How do I remove the Ask Toolbar again?
I want java, I have it installed, in my browser says it is installed. I have updated java, but pc says my security settings won’t let me have it, how can I change that ? I have looked at my settings and I have no idea what to change 🙁