Overall trends point to increased risks from vulnerable code
After two weeks of focusing on Bond-esque vulnerabilities found in microprocessors, it’s time to turn attention to the bellwether of software flaws – the quarterly Oracle Critical Patch Update (CPU). In a pre-release statement, Oracle indicates the first CPU of 2018 will likely be the smallest patch update since April 2016.
Don’t celebrate just yet. The overall number of flaws patched may be lower, but it’s also likely the number of Java SE vulnerabilities will be flat to the October 2017 CPU and represent a year-over-year increase compared to January 2017. New security fixes for the widely used Oracle Database Server are also expected to involve the Java Virtual Machine.
Most of the Java related flaws can be exploited without needing user credentials, with the highest vulnerability base score expected to be 8.3 on a 10.0 scale. The CPU could also include fixes for flaws in Java SE versions 6 though 9.
The January 2018 CPU will be released into an environment where virtually every enterprise on the planet is working to deploy the patches released for the Spectre and Meltdown chip vulnerabilities on top of the routine patches that must be applied. Companies that do business in the European Union are also coming to realize that a breach is not their only risk of incurring a large fine under the pending GDPR security rules – so is a failure to patch.
The Information Commissioner’s Office (ICO) of the United Kingdom cited a “seriously inadequate” patching program when assessing a £400,000 ($675,000) fine for a 2015 breach that exposed personal data for 3.3 million customers and 1,000 employees. The ICO indicated failure to apply patches now could result in GDPR fines when enforcement begins in May.
Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, 16 January. Waratek will release virtual patches for the CPU shortly thereafter.
