It must suck to be Eric Maurice.
He must have done something so bad in a previous life that he’s been lumbered with the job of director of software security assurance at Oracle, which means its his unpleasant duty to regularly inform the world of just how many security holes there are in Oracle’s software.
Yesterday, as he explains on the Oracle security assurance blog, Maurice announced that Oracle had released patches for a stonking 154 vulnerabilities:
The October 2015 Critical Patch Update provides fixes for 154 new security vulnerabilities across a wide range of product families, including: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.
Poor Eric. All he wants to do is tell the world what a great job his company is doing fixing security vulnerabilities, and everyone is going to be asking how quite so many flaws and holes can have made it into the software in the first place.
Clearly most of these security vulnerabilities require businesses to take action, but whenever the flaws include Java there is also a requirement for many consumers to ensure that they are either updating their systems or throwing Java into the trash can.
The good news is that Oracle says it has no evidence that any of the most severe vulnerabilities are being exploited in the wild, but – as we all know by now – malicious hackers sometimes reverse-engineer patches in order to find out how to exploit vulnerabilities on systems that have not yet been patched.
The truth is that running software like Java or Adobe Flash on your computer increases your attack surface, and opens up opportunities for malicious hackers to strike.
So, at the very least, consider disabling Java in your web browser.
And, if you really do have in-house websites or visit sites that demand you to have Java enabled, perhaps consider having a secondary browser that you only use when visiting those sites – rather than leaving the technology turned on in your regular browser for all of your surfing.
For more details of Oracle’s October 2015 security updates, check out the company’s advisory.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “Imagine being reincarnated as the guy in charge of Oracle security…”
'Poor Eric. All he wants to do is tell the world what a great job his company is doing fixing security vulnerabilities,'
Slightly compromising your sarcasm, that is a valid point: they are fixing security vulnerabilities. But unfortunately:
'and everyone is going to be asking how quite so many flaws and holes can have made it into the software in the first place.'
… is also valid. How they ever had as many vulnerabilities as this fix includes, is hard to know (other than they should be training their programmers much more – which is the answer to the question). Oracle is simply a terrible company and I really wish they didn't overtake Sun Microsystems (not that Sun was perfect). Yet I can't say I would like them to go away, because despite Java's flaws, there are a good many people that rely on it, and no matter its risks, there are some uses to it (at least outside of a web browser). And I have to admit that VirtualBox is a handy utility from time to time.
Wasn't it Oracle that attempted to sue researchers for revealing flaws ? I guess they aren't the only corporation to do something like this, but if they did indeed do this, it is very telling.
As for visitors saying they have to have Java (or some other requirement) – I say too bad; if you're using something of mine (not that I would let anyone use my computers – if they could unlock it and use it in the first place) then *I* set the terms, not them. Anything else is ungrateful and I don't tolerate that (and to be blunt, no one else should – especially when it is at the expense of anyone or anything).
Probably worth reading in context with the below:
This would not even be on my Mac but for the fact that I use Adobe Creative Suite 6. I've removed Flash, installed OS X El Capitan but not yet stumped up the monthly subscription to Adobe Creative Cloud. In order to run CS6 I was forced to infect my MacBook Pro with Java 8 r65. I've disabled it's use in the browser through the control panel so hopefully it will not increase my attack surface. Once I find the money to pay Adobe every month I will remove Java .and I'm somewhat miffed and mystified as to why Adobe force me to use it anyway.
Gee, one hundred plus vulns to patch seems to be a common occurrence for just about all the major tech companies these days. Apple last patched almost 100, and the three updates before that were close to 150 each. Google on the other hand can spread them out and patch single items more frequently,thus concealing their totals.
Really wish all these software writers and especially the security engineer's would spend more time tightening up existing code,instead of the drive for new and oftentimes frivolous features.