Oracle’s latest scheduled security updates are now available, coming as they do on the Tuesday closest to the middle of the 17th of the month in January, April, July and October.
In Oracle’s vernacular, of course, this isn’t a Patch Tuesday, but rather a Critical Patch Update, or CPU.
Unlike Apple, Oracle is at least regular with its updates, but like Apple, it still hasn’t committed to monthly patches.
That’s a pity, because the number and size of Oracle products – and the scale of some of their deployments – mean that the rollcall for each quarterly update usually makes for dramatic reading, as indeed it does in July 2014, with 113 security patches:
|Oracle Database Server||5|
|Oracle Fusion Middleware||29|
|Oracle Enterprise Manager Grid Control||1|
|Oracle E-Business Suite||5|
|Oracle Supply Chain Products Suite||3|
|Oracle PeopleSoft Products||5|
|Oracle Siebel CRM||6|
|Oracle Communications Applications||1|
|Oracle Retail Applications||3|
|Oracle and Sun Systems Products Suite||3|
Updates for Java
The update that affects the greatest number of users is undoubtedly Java, with 20 CVEs patched, each one closing a hole of the sort Oracle calls remote exploit without authentication, meaning that an outsider who hasn’t logged in could, in theory, trigger each of the 20 vulnerabilities.
Most of the vulnerabilities, as it happens, apply only to Java code running in your browser, so if you had browser Java turned off, as we have long recommended, your attack surface area, to use the trendy term, was already greatly reduced.
So the chances are good you simply don’t need Java enabled while you browse.
Also, as we reminded you earlier in the month, and as Oracle has made clear for some time, Windows XP is no longer officially supported by Java.
You can still install and run the latest update to Java 7 (7u65), but Java 8 (now at 8u11) is off-limits to XP users altogether.
Oracle couldn’t make this any clearer: the Java 8 installer for Windows uses Windows function calls that are supported only in Windows Vista and later, so the installer won’t even load, let alone run and then bail out:
Strictly speaking, XP with Java 7u65 is still gives you an up-to-date Java installation, and you’ll continue to get updates to Java 7 on XP until April 2015.
But Oracle offers you nothing more than the noncommittal statement that it “expect[s] that Java 7 (and older versions) will continue to work on Windows XP,” and makes it clear that even if you have a support contract, you shouldn’t bank on fixes for Java bugs that show up on XP only.
Updates for MySQL
The other noteworthy detail in Oracle’s July 2014 CPU is for users of MySQL Enterprise Server 5.6.
Although many other Oracle products received their Heartbleed bug patches some time ago, MySQL gets that vulnerability patched now.
Most business users have kept their SQL servers away from a public-facing internet connection since the CodeRed virus showed just how many Microsoft SQL servers were directly connected to the internet back in 2001.
Nevertheless, a Heartbleedable server inside your network would almost certainly attract the interest of any attacker who’d made it that far.
What to do?
In Oracle’s own words:
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.
Couldn’t really be clearer than that.