Stormy October patch day for Oracle
Oracle's October Critical Patch Update (CPU) has it all: the software company has fixed nearly 140 vulnerabilities in various products. In Java alone, Oracle has closed a total of 30 holes, 29 of which are potential candidates for the worst case scenario: allowing attackers to remotely inject malicious code, for example via infected web pages. Other products covered by the CPU include Oracle Database, Fusion Middleware, MySQL, Solaris, VirtualBox and many other components.
The Java holes affect versions in all version branches from 5.0, 1.4.2_38 (and older) and the appropriate development kits. Oracle has also patched the JavaFX framework. Most of the Java vulnerabilities were discovered by Adam Gowdiak, a Polish security researcher who has already found and privately reported multiple critical holes to Oracle within his SE-2012-01 project this year.
However, talking to The H's associates at heise Security, Gowdiak said that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java. According to the researcher, Oracle told him that the October CPU was already in its final testing phase when he reported the vulnerability. Therefore, this vulnerability and another, less critical hole will be closed at the next scheduled Java patch day on 19 February 2013.
Java holes are primarily exploited via specially crafted web pages that attack a browser's Java plugin. Anyone who can do without the Java plugin is advised to disable it – a recommendation that has also been made by many security vendors and the German Federal Office for Information Security (BSI). Users can check if the Java plugin is enabled in their browser by consulting The H's browser check page.
The current version, Java 7 Update 9, is available to download on Oracle's Java site. Oracle recommends that affected users and administrators install the patches as soon as possible. Java developers will find updated Java Development Kits on Oracle's developer site.