14 DAY TRIAL // Oracle has a weird way of dealing with security fixes. Instead of issuing a patch whenever a security flaw is detected in one of its products, the company generally waits and releases patches once every three months.
These security release sessions are called Critical Patch Updates (CPU), and for the month of October, Oracle's recent CPU included no more than 154 security patches.
In its previous Critical Patch Update sessions, Oracle fixed 193 security flaws in July, 98 in April, and 169 in January.
This quarter's CPU includes patches to products like Oracle Hyperion, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle E-Business Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, Oracle Industry Applications, Oracle Supply Chain Products Suite, Oracle E-Business Suite, Oracle Sun Systems Products Suite, and, of course, the Oracle and MySQL databases.
Oracle's Java SE also received 25 patches, 24 of them being remotely exploitable, one of them having a CVSS (Common Vulnerability Scoring System) Base Score of 10.0, the highest achievable value.
Oracle says that 20 of these Java vulnerabilities affected only client deployment of Java SE (in the browser), while the other 5 affected both client and server Java SE instances.
To safeguard from Java-based attacks, users are encouraged to upgrade to the most recent version, or remove Java SE from their computers if not needing anymore.