October 16, 2013
Oracle Releases Critical Patch With 127 Fixes, Including 51 For Java
Peter Suciu for redOrbit.com – Your Universe Online
On Tuesday, Oracle released a patch that addresses security issues in its products, including its database and, most notably, Java. This included 127 fixes that patch flaws that could have let hackers take over various systems.
Of the total fixes that were included in the quarterly Critical Patch Update (CPU), 51 were for Java. This is the first time that Oracle has included Java in the CPU, but the company had previously announced its plans to increase the frequency of the Java security release from once every four months to once every three months.
The new Java SE 7 Update 45 (7u45) version addresses significant vulnerabilities. “The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication,” warned Wolfgang Kandek, CTO at cloud security firm Qualys, in a blog post on Tuesday.
“The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines.”
The October CPU release also included fixes for a variety of Oracle’s applications, including those in the enterprise server-related product family: Oracle Database; Oracle Fusion Middleware; Oracle Enterprise Manager; Oracle Applications - E-Business Suite; Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite; Oracle FLEXCUBE Products Suite; Oracle Health Sciences Products Suite; Oracle Retail Products Suite; Oracle Primavera Products Suite; Oracle Java; and Oracle MySQL.
However, Java clearly remains the biggest concern for most web users.
“Aside from Java, it's mostly ho-hum, low impact stuff,” Ross Barrett, senior manager of security engineering at vuln management biz Rapid7, told the Register on Tuesday. “There’s a CVSS 8.5 vulnerability in MySQL’s Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting.”
Many security experts have been critical of Oracle for its slow response in ensuring that users are safe, but apparently none more so than Chester Wisniewski, a senior security advisor at Sophos Canada.
“If you don’t need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn't belong in your browser,” Wisniewski noted on the Naked Security blog. “If you're not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions.”
He added, “I heard that Oracle won the America’s Cup recently which leads me to give them some unsolicited advice. Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash.” He further noted, “If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly.”