It must suck to be Eric Maurice.
He must have done something so bad in a previous life that he’s been lumbered with the job of director of software security assurance at Oracle, which means its his unpleasant duty to regularly inform the world of just how many security holes there are in Oracle’s software.
Yesterday, as he explains on the Oracle security assurance blog, Maurice announced that Oracle had released patches for a stonking 154 vulnerabilities:
The October 2015 Critical Patch Update provides fixes for 154 new security vulnerabilities across a wide range of product families, including: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.
Poor Eric. All he wants to do is tell the world what a great job his company is doing fixing security vulnerabilities, and everyone is going to be asking how quite so many flaws and holes can have made it into the software in the first place.
Clearly most of these security vulnerabilities require businesses to take action, but whenever the flaws include Java there is also a requirement for many consumers to ensure that they are either updating their systems or throwing Java into the trash can.
The good news is that Oracle says it has no evidence that any of the most severe vulnerabilities are being exploited in the wild, but – as we all know by now – malicious hackers sometimes reverse-engineer patches in order to find out how to exploit vulnerabilities on systems that have not yet been patched.
The truth is that running software like Java or Adobe Flash on your computer increases your attack surface, and opens up opportunities for malicious hackers to strike.
So, at the very least, consider disabling Java in your web browser.
And, if you really do have in-house websites or visit sites that demand you to have Java enabled, perhaps consider having a secondary browser that you only use when visiting those sites – rather than leaving the technology turned on in your regular browser for all of your surfing.
For more details of Oracle’s October 2015 security updates, check out the company’s advisory.