Feeds

back to article Oracle spoils your day with NEARLY 150 patches

Systems administrators who decided it would be a quiet week were wrong: Oracle has flicked out more than a hundred security patches, and when you're finished, it'll be time to round up any Blackberry useBs in the company and apply some patches for them. Let's start with Oracle, which among other things is taking another stab at …

COMMENTS

This topic is closed for new posts.

"securing Java, fixing 36 vulnerabilities of which 34 are “remotely exploitable without authentication”. All but one are client-side vulnerabilities, and ten of them are rated by Oracle at 9.3 or 10 on its vuln scale."

Hahahahahaha sweet jesus...

3
0
Silver badge

really?

Unless you live under a rock, you have no business sounding surprised.

2
1
Silver badge

Re: really?

But the horse is dead!

Java now makes XP seem robust and secure. All the old gags about Microsoft and security seem to supply now better to Oracle and Adobe

5
0
Anonymous Coward

Re: really?

Yep - SQL Server has had hardly any vulnerabilities across years and many versions. Oracle's Database has had hundreds.....Windows Server also has much better vulnerability numbers versus Oracle's Linux and Solaris OSs....

And .Net versus Java? LOL - something like 3 orders of magnitude difference in number of holes...

1
0
Pint

Re: really?

I don't think anyone is surprised, more like delightfully amused...

A pint as Friday is just around the corner!

1
0
Silver badge
Devil

Re: sweet jesus...

No, that's an Apple project.

1
0
Silver badge

Re: All the old gags about Microsoft

Except even Bill Gates wasn't arrogant enough to hold patches for 90 days.

1
0

Oracle spoils your day with a GROSS of patches

FTFY. 144 = 1 gross, or "over 140". Not "nearly 150". Plus "gross" as in "yuck" or "gross negligence" seem quite appropriate as well.

http://www.thefreedictionary.com/gross

2
0
FAIL

Not just a security update

In keeping with past practices, this is not just a security update for Java from Oracle. No, like many previous releases of Java, there are also major functionality changes included, that once again mean that enterprises can't just push the security updates out, because the bundled non-security changes break stuff. (e.g. Java 7u51 requires that every app has to be recompiled with a new manifest and digitally signed).

For enterprises that have inventories of tens or hundreds of Java applications, cost aside, the requisite remediation that has to happen BEFORE the latest security patches can be deployed is simply not feasible in a timeframe that would avoid lengthy exposure to all the nasty malware that we know is actively targeting Java. The arrogance on the part of Oracle is stunning - they are still ten years behind companies like Microsoft on the patching front.

7
0
Bronze badge

Re: Not just a security update

Oops, very surprised by this. Perhaps Oracle has hidden agenda here - gently push enterprises to drop Java? If Java is not generating (enough) profit for Oracle, they might have a motivation to do this.

0
0
Anonymous Coward

Re: Not just a security update

"In keeping with past practices, this is not just a security update for Java from Oracle"

So it includes more than the 34 stated security fixes? Uggg...I hate vendors that mix critical updates with non essential ones and don't let you choose....Really bad practice...

0
0
Anonymous Coward

Re: Not just a security update

"Java 7u51 requires that every app has to be recompiled with a new manifest and digitally signed"

Or that you just turn the security settings tab down 1 notch...

No warnings during install though - and no developers / websites seem to be aware....

1
0
Anonymous Coward

Re: Not just a security update

I'm shocked to hear that (a) Oracle has broken backwards compatibility with a patch, which is a no-no-no-no, much less in enterprise environments and (b) there aren't separate patch streams for "security" vs. "bug fixes" vs. "new functionality"

Some people (like Linux Torvalds) argue that security and bug fixes should be really a single stream, because after all every bug is potentially a security problem (at least a DoS one) and every security issue can be at least conceptually flagged as a bug (at least a design one, perhaps also an implementation)

But mixing functionality changes with bug fixes and security fixes? That's a big, big mistake.

0
0
Anonymous Coward

Re: Java 7u51 requires that every app

If you are following their security model yes, but there are changes you can make in the desktop configuration that will allow the apps to run.

We have a set of apps here that require client side java and the people who update them are even slower than Oracle* when it comes to updates (dedicated teams for each app). The security guys for my branch decided to push the updates anyway and adjust the Java security settings from "High (recommended)" to Medium. High won't let unsigned apps run, Medium pops up the security prompt just like the previous version did. Maybe our security team's fix leaves the barn door open, but I don't see that not installing the patches doesn't leave the barn door open as well.

*I don't mean the usual delays one should expect for regression testing. I mean at one point they were running a version that was so old even Sun had listed the software as "obsolete". Not simply "unsupported" but "obsolete".

0
0
Anonymous Coward

Sun

Of course, most of the worst affected products here aren't actually Oracle developed...

0
2

Why is this a surprise?

Richard, ever since Oracle bought Sun (and likely from before but I can't speak to that), the Critical Patch Update has come out quarterly around the middle of that month. I'm not quite sure why you are so surprised that this came out? I'm sure you don't mean to imply that Oracle should not be releasing bug fixes.

alan.

0
0
This topic is closed for new posts.