This week, Oracle released their quarterly Critical Patch Update (CPU) for October 2012, as well as a separate Java SE security patch. Apple also released OS X Java updates, in relation to Oracle’s Java patch. I describe all these updates below.
Oracle CPU for October 2012:
Oracle CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. According to their October CPU advisory, this quarter’s updates fix 109 vulnerabilities in many different Oracle products and suites.
Refer to the table below for more details about the affected products and severity of the flaws:
|Product or Suite||Flaws Fixed (CVE)||Max CVSS|
|Sun Product Suite||18||7.8|
|Supply Chain Product Suite||9||5.5|
|Financial Service Software||13||5.5|
Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share CVSS severity ratings. While the severity of the 109 vulnerabilities differs greatly, some of them pose a pretty critical risk.
For instance, the updates for Oracle Database Server and Fusion Middleware both fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert.
Oracle Java SE CPU:
Oracle also released a separate CPU advisory for Java SE, announcing a security update that fixes 30 vulnerabilities in the popular interpreter used to run Java applications. Again, Oracle doesn’t describe these flaws in technical detail. They only share their severity. However, they’ve assigned ten of the vulnerabilities the maximum CVSS severity score (10), which typically means that remote attackers can leverage them to gain complete control of your computer. In the case of Java attacks, this typically means enticing you to a web site containing malicious Java code.
Personally, I think this Java update is more important than all the patches in Oracle’s primary CPU, simply because almost everybody has Java installed. Right now, Java is one of the most targeted applications for drive-by download attacks, and every major underground web exploit framework has many Java exploits built-in. If you haven’t already, you should patch Java immediately. You can find more information on where to get the update in the Patch Availability Table of Oracle’s advisory.
In a related note, awhile back a research found a serious “sandbox escape” vulnerability in Java. This update still does not fix that particular flaw. The good news is the researcher has not disclosed the technical details about this flaw to the public, so attackers aren’t exploiting it in the wild. Nonetheless, I would still keep my eye out for a patch since I’m sure blackhat hackers are now searching for it.
Apple Releases Java Updates for OS X:
Finally, yesterday Apple also released Java updates for all current versions of OS X. Apple packages their own version of Java for OS X, probably to make it easier for users to run Java apps. This means when Oracle updates Java, Apple has to update their version separately.
Yesterday’s OS X Java updates fix the same vulnerabilities mentioned in the official Oracle update above; only OS X users need to install Apple’s version of the updates. If you use OS X, download and install Java for Mac OS X 10.6 Update 11 or Java for OS X 2012-006 immediately, or let Apple’s Software Update program do it for you.
As an aside, this update also removes the Java applet plugin from all OS X web browsers. This means when you visit a web page containing a Java applet, the browser will direct you to download Oracle’s Java plugin. While this may cause more work for users, it will also ensure OS X users can get the latest version of Java. In the past, Apple has received flak for updating their version of Java much later than the original Oracle update. This change takes the pressure off Apple. — Corey Nachreiner, CISSP (@SecAdept)