14 DAY TRIAL // Oracle has released its October 2012 Critical Patch Update (CPU) to address a number of security holes that could be leveraged by cybercriminals to cause some serious damage.
The CPU fixes vulnerabilities in Database, Fusion Middleware, E-Business Suite , Supply Chain, PeopleSoft, Siebel, Health Science, Oracle FLEXCUBE, Oracle Sun Product Suit and MYSQL products.
The Oracle Java SE CPU addresses the bug identified by researchers at the end of August, shortly after the company had released an out-of-band patch for the zero-day that made headlines because it was exploited in the wild.
On the other hand, Oracle hasn’t patched the Java security sandbox bypass vulnerability that affects Java SE 5, 6 and 7. Although this flaw impacts around one billion users, the firm says it will only fix it in February 2013, when the new Java SE CPU is scheduled.
“Oracle's decision to wait with a patch for another 4 months is more than surprising to us, taking into account the severity of the issue and the tone of the press the company has been receiving lately,” Adam Gowdiak, whose team of researchers has identified the vulnerability, told Softpedia in an email.
“Unfortunately, everything indicates that Oracle is neither afraid to expose Java users and its customers to a potential attack for yet another 4 months’ time, nor is it interested to prove itself as a vendor that takes security seriously.”
Oracle hasn’t motivated its decision for sticking to its release schedule, but in case they do, their response will be shown on the vendor status page on Security Explorations’ website.
In the meantime, Oracle customers are advised to apply all the updates made available with the October 2012 CPUs to ensure that their machines are protected against cyberattacks.