Oracle fixes 127 vulnerabilities in its products
Posted on 16 October 2013.
The story here is that Oracle has synced up their Java patching with the rest of their patching cycle and, when it comes to vulnerabilities, Java always steals the show.

The CPU includes fixes for 127 vulnerabilities in Oracle products, but aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5 vulnerability in MySQL's Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting.

The Java patches include 51 of the 127 addressed issues. Of the 51 issues, 21 are CVSS scores of 9 or higher, meaning they would allow an attacker to gain control of the system in the context of the running user with limited complexity to exploit.

The vast majority of these issues affect the Java browser plugin and users, first and foremost, are advised to keep up-to-date with patches. Secondly, users should take advantage of all the signing and execution restrictions offered by the latest plugin versions.

Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin. Otherwise, run Java in the most restricted mode and only allow signed applets from whitelisted sites to run.

Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.


Don't sink your network

Too many of today’s networks are easy to sink. One attack pierces the perimeter, and all of the organisation's most sensitive data comes rushing out. Soon after, their logo is slapped across the evening news as the pundits start circling the water.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Oct 13th