Oracle releases critical Java, apps security update

Oracle has released a large Critical Patch Update (CPU) that plugs 127 security holes in its software offerings, including 51 fixes for the Java application framework.

Many of Oracle's enterprise products such as the 11g and 12c databases are affected, along with with the Fusion Middleware, Peoplesoft, Siebel, and the Health Sciences and Retail product suites.

The company advises customers to apply the CPU fixes as soon as possible due to the threat posed by successful attacks, some of which enable miscreants to remotely control systems. 

Updated versions of Java are also available separately for desktop and laptop users, from a different Oracle site.

On Oracle's Software Security Assurance blog, Eric Maurice says that 50 of the 51 vulnerabilities in Java SE are remotely exploitable without authentication. 

However, Wolfgang Kandek of security vendor Qualys notes that 12 of the Java SE vulnerabilities let attackers remotely take full control over machines.

Kandek said the most common attack vector for Java is web browsing and malicious web pages on client machines, but two critical vulnerabilities apply to server-side deployments as well.

According to Kandek, as there are no further public updates for the older Java 6, people should update to the newer Java 7 update 45 as quickly as possible. Java 6 should not be used for any activities that connect to the Internet, Kandek says.

Earlier this week, Apple issued an update for Java 6, bumping up the version to 1.6.0_65 and uninstalled its own applet plugin from web browsers. Apple now says to use the Oracle supplied version of Java for web browsers rather than its own one.

Maurice says the October 2013 CPU is the first to integrate Java SE patches, and that in the future, all security updates will be released on the same schedule.

Due to this, Maurice says that the average number of fixes in future CPUs will be greater than in previous updates.