36 Java Flaws Fixed in Oracle's Security Patch

Oracle's quarterly patch arrived on Tuesday with new security fixes for 144 vulnerabilities in their products, including 36 fixes for Java Standard Edition 7 (Java SE 7).

Thirty-four of the Java vulnerabilities "may be remotely exploitable without authentication." The list of affected Oracle products includes several versions of the Oracle Database and Fusion Middleware, as well as its business applications, Sun Systems products and MySQL. 

Oracle announced the update on it's Web site here and strongly advised its customers to apply the fixes as soon as possible.

Oracle issues CPUs on a quarterly basis on the Tuesday closest to the 17th day of January, April, July and October, so the announcement was expected. But the media spotlight was especially hot on this one, because it followed news that Yahoo's advertising servers were distributing malware to hundreds of thousands of users, mostly in Europe -- an exploit enabled by a Java vulnerability. Analysts at Fox-IT, a security firm based in the Netherlands, broke the news on January 3. That exploit affected users between December 27, 2013 and January 3 2014.

The ongoing exploitation of Java -- to be precise, the Java browser plugin -- raises the question: Is Java less secure since Oracle took over?

"I get that question all the time," said Gartner Group analyst Mark Driver. "But I think Oracle has been putting more engineering efforts into securing Java than Sun was doing. The unfortunate fact is, there will never be a moment when we can really say, We've fixed Java. Over time I think it can be made harder and harder to hack. But this is an ongoing game of catch up -- of hack and fix, hack and fix."

His advice to developers: Don't use heavyweight RIAs if you don't have to.

"That wasn't possible in the past, because there were tremendous compromises involved," Driver said. "But with Ajax, and especially HTML5, it's possible to replace a lot of what's happening in Flash, Silverlight r Java. The use of heavyweight RIAs is plummeting and will continue to plummet over the next five years. They'll all but disappear off the Internet in a few years as HTML5 matures."

Oracle wasn't the only big software vendor issuing security patches this week. Adobe released patches for its AIR runtime, Acrobat XI, Reader and Flash Player. And Microsoft released security updates for its Dynamics AX, Office, Server Software, and Windows OS.

About the Author

John K. Waters is a freelance author and journalist based in Silicon Valley. His latest book is The Everything Guide to Social Media. Follow John on Twitter, read his blog on, check out his author page on Amazon, or e-mail him at


  • Windows 10 Preview Adds Windows Subsystem for Linux 2 on ARM64 Devices

    Microsoft's latest Windows 10 preview release for testers (build 18980), announced on Wednesday, includes support for version 2 of the Windows Subsystem for Linux, plus ARM64 device support for WSL 2.

  • Microsoft Defender Advanced Threat Protection Evaluation Lab Now Available

    The Microsoft Defender Advanced Threat Protection (ATP) Evaluation Lab is now ready for use by organizations.

  • How Organizations Can Adapt to SharePoint's 'Modern' Shift

    In a September interview, SharePoint expert Asif Rehmani described how users, developers and organizations are dealing with SharePoint Online's so-called "modern" innovations.

  • Microsoft Urges LDAP Workaround Fix for Windows Systems

    Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol in supported Windows systems to implement some configuration changes manually.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.