Oracle released an update to patch 248 vulnerabilities found in over 50 product lines, including Oracle Database, Java SE, and Oracle E-Business Suite, and other products.
The company stated that previously-patched vulnerabilities were successfully exploited because administrators had not yet installed updates. In a strongly worded advisory, the company stated, “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”
Oracle settled with the Federal Trade Commission (FTC) in December over the agency’s 2010 complaint that the software maker deceived users of its Java software with false claims over the security of the Java product. Java was a main focus of a blog post by security assurance director Eric P. Maurice. He advised users to remove obsolete Java SE versions from their computers “if they are not absolutely needed.”
Desktop versions of Java have been attacked frequently, wrote Qualys CTO Wolfgang Kandek, on the Qualys corporate blog. “Attackers like applet vector, serving a Java application through a webpage and taking control of the targeted machine,” he noted. “Oracle has been working over the last year to close down that vector by enabling it only selectively through Deployment Rulesets.”
Maurice at Oracle also wrote that none of the Oracle Database vulnerabilities are remotely exploitable without authentication.