Oracle Unleashes the Mother of All Security Patches
Java -- you can't live with it, you can't live without it. That seems to be the consensus among IT security professionals. Numerous vulnerabilities have been exposed in Java over time, a consequence of "Java's crude beginnings and Sun's and Oracle's failure to deal with them adequately," said Infostructure Associates' Wayne Kernochan. Alternatives are few, though, and porting would be a nightmare.
Oct 17, 2013 12:13 PM PT
Oracle has released a whopper of a critical patch update for October, with 127 security fixes across several of the company's products.
Of these, 51 are fixes for Java SE, and all but one of those will allow remote exploitation of a computer without authentication.
Oracle recommends the patch be applied as soon as possible, as many of the vulnerabilities cross product family lines, and its products are interdependent.
However, the patch applies only to products whose licensees have premier support or extended support.
About the Uber-Patch
Forty of the 51 Java vulnerabilities apply to client deployment of Java. Of these, one is exploitable only during the act of deploying Java clients; the rest apparently can be exploited on Java clients at other times.
Eight of the Java flaws impact both client and server-side implementations.
Of the remaining three, one applies to the Java Heap Analysis, and two apply to sites that run the Javadoc Tool as a Service.
The October patch includes 22 fixes covering Oracle E-Business Suite, Oracle Supply Chain Products Suite, PeopleSoft Enterprise, Siebel CRM and iLearning.
Six other patches are for Oracle Industry Applications, and one is for Oracle Financial Services software.
Another 17 fixes are for Oracle Fusion Middleware. Twelve of them are for remotely exploitable vulnerabilities.
The update includes 12 new security fixes for the Oracle and Sun Systems Products Suite, five of which are remotely exploitable.
There are four patches for Oracle Enterprise Manager Grid Control vulnerabilities that are remotely exploitable.
One patch is provided for an Oracle Database flaw that is remotely exploitable. Another Oracle Database flaw already has been fixed.
Oracle Patch Pushback
"Oracle needs to consider a monthly release cycle," growled Tyler Reguly, technical manager of security R&D at Tripwire. "At this point, users everywhere should be outraged that Oracle feels a quarterly patch cycle is sufficient to keep them safe."
Although Oracle has a potential advantage in knowing database security very well, "I see no signs that security outside of the database is one of Oracle's very highest priorities, and Oracle product integration is not very tight; hence its security schemes for those are not as good as they might be," Wayne Kernochan, president of Infostructure Associates, told the E-Commerce Times.
However, Oracle "is putting more resources on security than ever," averred Al Hilwa, a program director at IDC.
Loving Java Can Hurt
Java accounts for 40 percent of the flaws fixed in the latest update.
"I look at the last few Java application holdouts and cross my fingers that they'll consider a technology transition in the near future," Tripwire's Reguly told the E-Commerce Times.
"I'm not comfortable with Java on my personal computers anymore, and I'd love to see it removed from corporate systems," he continued.
Here to Stay
Numerous vulnerabilities have been exposed in Java over time, a consequence of "Java's crude beginnings and Sun's and Oracle's failure to deal with them adequately," said Kernochan.
Still, so much is dependent on Java that no one can afford not to maintain or develop it and continue to patch, he contended.
"Java is critical for enterprise development, where there is likely the largest single skill base in a single programming language," Hilwa told the E-Commerce Times.
In terms of functionality, Google Go is an acceptable alternative to Java, Kernochan said. However, there is probably no acceptable alternative in terms of minimizing the amount of porting that would be necessary if an alternative were selected.