• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Oracle Issues October CPU and Apple Updates Java

October 18, 2012 By Corey Nachreiner

This week, Oracle released their quarterly Critical Patch Update (CPU) for October 2012, as well as a separate Java SE security patch. Apple also released OS X Java updates, in relation to Oracle’s Java patch. I describe all these updates below.

Oracle CPU for October 2012:

Oracle CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. According to their October CPU advisory, this quarter’s updates fix 109 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or SuiteFlaws Fixed (CVE)Max CVSS
Database Server510.0
Fusion Middleware2610.0
MySQL29.0
Sun Product Suite187.8
E-Business Suite96.4
Supply Chain Product Suite95.5
Financial Service Software135.5
PeopleSoft Products94.3
Siebel CRM24.3
Industry Applications24.3
Virtualization Products24.3

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 109 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the updates for Oracle Database Server and Fusion Middleware both fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert.

Oracle Java SE CPU:

Oracle also released a separate CPU advisory for Java SE, announcing a security update that fixes 30 vulnerabilities in the popular interpreter used to run Java applications. Again, Oracle doesn’t describe these flaws in technical detail. They only share their severity. However, they’ve assigned ten of the vulnerabilities the maximum CVSS severity score (10), which typically means that remote attackers can leverage them to gain complete control of your computer. In the case of Java attacks, this typically means enticing you to a web site containing malicious Java code.

Personally, I think this Java update is more important than all the patches in Oracle’s primary CPU, simply because almost everybody has Java installed. Right now, Java is one of the most targeted applications for drive-by download attacks, and every major underground web exploit framework has many Java exploits built-in. If you haven’t already, you should patch Java immediately. You can find more information on where to get the update in the Patch Availability Table of Oracle’s advisory.

In a related note, awhile back a research found a serious “sandbox escape” vulnerability in Java. This update still does not fix that particular flaw. The good news is the researcher has not disclosed the technical details about this flaw to the public, so attackers aren’t exploiting it in the wild. Nonetheless, I would still keep my eye out for a patch since I’m sure blackhat hackers are now searching for it.

Apple Releases Java Updates for OS X:

Finally, yesterday Apple also released Java updates for all current versions of OS X. Apple packages their own version of Java for OS X, probably to make it easier for users to run Java apps. This means when Oracle updates Java, Apple has to update their version separately.

Yesterday’s OS X Java updates fix the same vulnerabilities mentioned in the official Oracle update above; only OS X users need to install Apple’s version of the updates. If you use OS X, download and install Java for Mac OS X 10.6 Update 11 or Java for OS X 2012-006 immediately, or let Apple’s Software Update program do it for you.

As an aside, this update also removes the Java applet plugin from all OS X web browsers. This means when you visit a web page containing a Java applet, the browser will direct you to  download Oracle’s Java plugin. While this may cause more work for users, it will also ensure OS X users can get the latest version of Java. In the past, Apple has received flak for updating their version of Java much later than the original Oracle update. This change takes the pressure off Apple. — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Apple, drive-by download, Oracle, sun, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use