In what appears to be yet another attempt to un-make Swiss cheese, Oracle has released almost a dozen-dozen patches for more than a dozen of their products, including 51 for the troubled Java software alone, with nearly all of them remotely exploitable without authentication.
The Java updates are mostly directed at flaws in Java Applets or Java WebStart, and many will require operating system vendor support as opposed to auto-updates, which further complicates patch management efforts for users.
“[The] 51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser. Worse yet, all but one are remotely exploitable without authentication,” said Chester Wisniewski from Sophos Canada.
Wisniewski advises that Java can be useful for many applications, but it should not be used by browsers, where it presents the greatest risk of being exploited.
“If you don’t need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn’t belong in your browser. If you’re not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions,” Wisniewski said.
Wisniewski offers some detailed advice for determining if Java is enabled in your browser and how to disable it. He also has some advice for Oracle, and he pulls no punches.
“I heard that Oracle won the America’s Cup recently which leads me to give them some unsolicited advice. Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash. 3+ billion devices will thank you,” Wisniewski said.