Oracle Patches 144 New Security Vulnerabilities to Start 2014
Unlike Microsoft's first patches of the new year, Oracle users will have a whole lot of updates to perform to secure their environments.The new year is starting off with a bang for Oracle, at least in terms of security updates. In sharp contrast to Microsoft, which today released just four security bulletins, Oracle fixed a staggering 144 new vulnerabilities spread across its software portfolio as part of its quarterly Critical Patch Update (CPU). At the top of the list with the most fixed vulnerabilities and widespread impact are 36 security fixes for Oracle's Java. Oracle first began to include Java security fixes as part of its main CPU release in October of 2013. At that time, Oracle fixed a total of 127 vulnerabilities, with Java accounting for 51 of them. With the January crop of Java vulnerabilities, 34 of the 36 flaws are remotely exploitable without user authentication, making them among the most dangerous types of software flaws. Going a step further, Oracle has ranked five of the new Java vulnerabilities as having the highest possible Common Vulnerability Scoring System (CVSS) score of 10. Java is among the most attacked and the most patched piece of software in use today. Multiple vendors, including Hewlett-Packard and Kaspersky Lab, reported a surge in Java attacks during 2013. According to Kaspersky, between March and August of 2013, there were at least 8.54 million Java exploit attacks. Brian Gorenc, manager of the Zero Day Initiative at Hewlett-Packard Security Research, spoke at length about Java exploits during a Black Hat USA 2013 session. While Java zero-day exploits are responsible for some attacks, the majority are attacks against vulnerabilities that Oracle has already patched in a public update, though users have not yet updated their own systems.
"Unfortunately, with Java being an enterprise platform, there are many software vendors that only support the older (exploitable) versions of Java," Tommy Chin, technical support engineer at Core Security, told eWEEK. "Companies who own and depend of this type of software are locked down from upgrading because the upgrade will break their existing production Java application."