Oracle has released a whopping 51 Java fixes amid a wider update to address 127 security flaws in its October Critical Patch Update (CPU).
The fixes cover a raft of products including Oracle's Database, Fusion Middleware, PeopleSoft and the Java Standard Edition platform products. Oracle said: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible."
Security vendors echoed this call to install the updates as soon as possible as they pointed out the severity of some of the issues Oracle has fixed. Chief technology officer for Qualys Wolfgang Kandek noted that some had the potential for devices to be completely overrun by attackers.
“The Java update should be a top priority for this month as it addresses 51 vulnerabilities, 12 of which have the highest CVSS v2 [Common Vulnerability Scoring System] score of 10,” he said.
“[This means] these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication.”
Ross Barrett, senior manager of security engineering at Rapid7, added his voice to the calls for firms to move quickly and urged wider Java security precautions to be taken given the platform's long-running security risks.
“The vast majority of these issues affect the Java browser plugin and users are advised to keep up to date with patches. Secondly, users should take advantage of all the signing and execution restrictions offered by the latest plugin versions,” he said.
“Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin. Otherwise, run Java in the most restricted mode and only allow signed applets from whitelisted sites to run.”
Given the huge amount of update issues, and the fact that Oracle still works on a quarter-to-quarter release cycle, rather than monthly, Chester Wisniewski, senior security advisor at Sophos, urged the company to invest more in security updates in a blog post.
“I heard that Oracle won the America's Cup recently, which leads me to give them some unsolicited advice. Put the award on the shelf in your lobby, sell the $10,000,000 boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash,” he wrote.
The update is also noteworthy as it brings the Java patch release cycle into the same quarter as the rest of the firm’s security releases for the first time. This should at least make it easier for IT administrators to keep track of all the security updates they have to tackle in one go.