Jump to content
Aerosol

Oracle releases 167 critical security fixes for Java and Sun systems

Recommended Posts

Posted

new-oracle-building-540x334.jpg?1421168721

Oracle has released a critical patch update fixing 167 vulnerabilities across hundreds of its products, warning that the worst of them could be remotely exploited by hackers.

The pressing fixes involve several of Oracle's most widely used products and scored a full 10.0 rating on the CVSS 2.0 Base Score for vulnerabilities, the highest score available.

"The highest CVSS 2.0 Base Score for vulnerabilities in this critical patch update is 10.0 for Fujitsu M10-1 of Oracle Sun Systems Products Suite, Java SE of Oracle Java SE, M10-4 of Oracle Sun Systems Products Suite and M10-4S Servers of Oracle Sun Systems Products Suite," read the advisory.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply critical patch update fixes as soon as possible."

Oracle warned that the updates for Fujitsu M10-1 of Oracle Sun Systems Products Suite are particularly important.

"This critical patch update contains 29 new security fixes for the Oracle Sun Systems Products Suite," the advisory said.

"Ten of these vulnerabilities may be remotely exploitable without authentication [and] may be exploited over a network without the need for a username and password."

The Oracle Java SE update fixes 19 flaws, 14 of which were also remotely exploitable.

The next most serious flaws relate to Oracle's Fusion Middleware, which received 35 security fixes. The worst carries a 9.3 rating and could also be remotely exploited.

The update follows reports that hackers are targeting enterprise companies with malware-laden patches purporting to come from Oracle.

The news comes during a period of heated debate about patching best practice. Microsoft announced plans on 9 January to stop offering non-paying customers advanced patch notifications.

The announcement led to a backlash in the security community, many feeling that the move is a money-grabbing tactic by Microsoft.

Prior to the move, Microsoft came to blows with Google over the search firm's public disclosure of a Windows bug.

Google Project Zero researchers publicly disclosed the bug in December 2014 having privately reported it to Microsoft in September. The move led to a debate about what constitutes responsible threat disclosure.

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...