Oracle Patches 136 Flaws In 49 Products 23
An anonymous reader writes: Oracle has released the April 2016 Critical Patch Update, which provides fixes for 136 vulnerabilities in 49 products, including Java SE and MySQL, the company's Database Server and E-Business Suite, its Fusion Middleware, and its Sun Systems Products Suite. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," the company advised.
IOW Oracle in Software business (Score:2)
I do like how they managed to call their customers idiots in the same announcement.
and in doing so (Score:2, Funny)
... and in doing so, introduces 243 bugs.
Re: (Score:1)
99 bugs in the code, 99 bugs in the code. Take one down, patch it around 127 bugs in the code
Re: (Score:2)
And the price of support contracts doubles - retroactively.
Do I still need to uncheck the "ask.com" box? (Score:2)
I mean, does ask.com exist outside of people who updated Java searching how to make it go back to whatever they already had?
Re: (Score:1)
This time it was some Amazon crapware for me... Uncheck that box PDQ.
"Actively supported" is the key here (Score:4, Interesting)
Define "Actively Supported," Oracle.
I work in an industry whose IT ecosystem has lots of legacy baggage, and has strata of old systems that can be pinpointed to Programming Fad of the Year in the year they were built. Worse yet, my specialty is end user stuff, so my job lately has been to try to clean some of this up. We've got insanely complex Java applets, lots of really old Flash web stuff, Visual Basic 6 that heavily relies on towers of COM+ libraries, web apps that use every single quirk of IE 6, massive ActiveX applications that require scary levels of local permissions to function, and so on. To make it fun, the nature of our industry is such that these are mostly bespoke, one off applications written by companies that don't exist anymore, people we can't find, or consultancies that want millions of dollars for upgrades. Getting this all working on modern systems is a huge challenge, especially when your new normal is supporting non-quirky applications from the present day that are pretty well behaved.
Oracle doesn't make this any easier by not patching flaws in older JREs or other software if you don't pay for extended support. In fact, one issue I had that's thankfully gone now was Oracle's own financial product relying on Oracle's own recompiled JRE (the "JInitiator." Under the covers, Oracle still is patching these security holes for customers who pay an exorbitant license fee to run the "free" client side JRE. They don't release them to the public, ostensibly to get consumers to upgrade, but we know the real reason.
I know companies can't support software forever, but the previous (pre Sun/Oracle merger) environment encouraged client side Java use by giving away the JRE and JDK for free and keeping them patched. Now, applets and browser plugins are a bad idea, everyone realizes this now. But software from the early to mod 2000s relies heavily on them.
Re: (Score:2)
And at what point do your clients realize that all of the above behavior by companies can be avoided by simply using/writing open source solutions?
Re: (Score:2)
Re: (Score:3)
At least you'll have access to the source code and can give it to a new contractor for further work/fixes. The main problem as GP states is that you get binaries from organizations that either no longer exist or turn into extortionists to fix anything. If you have the source, at least that is no longer a valid excuse.
Re: (Score:2)
Re: (Score:2)
I work in an industry whose IT ecosystem has lots of legacy baggage, and has strata of old systems that can be pinpointed to Programming Fad of the Year in the year they were built.
That's awfully non-specific because this applies to, like, all of them.
Re: (Score:2)
They don't release them to the public, ostensibly to get consumers to upgrade, but we know the real reason.
We do indeed: they want customers to upgrade. There is no reason to expect otherwise - it is common practice that SW companies don't want to have to keep patching old versions, because 1) there is a new version in which the flaws are being fixed, and people should upgrade, and 2) it is an expense that you get no reward for. I think it is perfectly reasonable that you only want to do this work, if you are payed - many companies won't, even for good money.
In other news. (Score:3)
Re: (Score:2)
It's funny you mention that, but it makes sense. Simple software with simple features is hard to screw up security-wise. Abstraction, feature bloat, relying on massive third-party libraries you don't control, etc. are usually the root cause of these problems.
Then again, in the Windows world, once in a while an exploit comes completely out of left field. I think a few years ago there was a patch for Windows Paint of all things, and an exploit in the code for the font subsystem. Talk about stuff that never ch
Re: (Score:2)
You forgot all about: CVE-2011-1991 and there must have been several others but I can't be bothered to look it up. Try opening Notepad with a debugger attached, you see all kinds of crap being loaded including IE stuff.
Re: (Score:1)
MariaDB (Score:3)
Good thing I already installed the patch for Oracle MySQL, it is called MariaDB!