Microsoft And Oracle To Patch Scores Of Vulnerabilities

Oracle issues a whopping 144 patches, including a handful for much-exploited Java

By Thomas Brewster,
2 min

Software Oracle is today patching reams of vulnerabilities across its product lines, while Microsoft has a much smaller Patch Tuesday roundup than usual.

Oracle is planning to issue 144 vulnerability fixes across hundreds of its products, including 36 for Java, 34 of which could be exploited by an attacker without the need for authentication. Microsoft has only four advisories, by contrast.

As Java was exploited in recent attacks delivered via Yahoo’s ad service, IT chiefs have been advised to pay close attention to the software. The Magnitude exploit kit was used to deliver malware to users running an old version of Java.

Oracle promises Java fixes

Oracle cloud biplane aircraft © Anatoliy Lukich Shutterstock“Once again, it might be sensible for you to consider whether you really need Java enabled in your web browser,” recommended security expert Graham Cluley.

A host of other Oracle software is remotely exploitable, including Oracle Database and MySQL Server, making them a top priority for IT teams. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” Oracle said in its advisory.

Microsoft, meanwhile, has confirmed four security bulletins for January, making it a less stressful release than Oracle’s for IT professionals. None are rated critical, but all are regarded as important, with flaws affecting Microsoft Windows, Office, and Dynamics AX.

It has addressed a flaw in a kernel component of Windows XP and Windows Server 2003, which it had seen “used in conjunction with a PDF exploit in targeted attacks and not on its own”, according to a blog post from Dustin Childs, group manager for response communications at Microsoft Trustworthy Computing.

Experts have noted the lack of Internet Explorer fixes, which have been a mainstay in Microsoft’s Patch Tuesdays for some time. “For the first time in a while, there is not a cumulative IE roll up patch. This must be an indication that the IE team was finally allowed to take some time off over the holidays in light of the gruelling 2013 they put in.  Expect them back in February, no doubt,” said Ross Barrett, senior manager of security engineering at Rapid7.

Are you a security expert? Try our quiz!