Oracle admins are today staring down the barrel of the biggest quarterly Critical Patch Update ever.
The numbers are gory: 308 vulnerabilities patched, 165 of which are remotely exploitable, across more than 90 products. So far in 2017, Oracle has patched 878 vulnerabilities through three CPUs.
System and network admins have never been taxed from a patching perspective as they have this year. On the Windows side, Microsoft has overhauled its security bulletins, replacing them with cumbersome Security Update Guides. Windows admins have had to deal with critical updates for the SMB bug used by WannaCry and ExPetr, including out-of-band patches for XP and other unsupported versions of Windows. WannaCry and ExPetr exposed how much the industry still struggles and lags with patching.
Now Oracle’s mammoth update today must be contended with; it tops April’s record patch count of 300.
“Since the April 2017 Oracle CPU, the world has been rocked by global malware attacks that exploit well-known flaws that have readily available fixes,” said John Matthew Holt, CTO of Waratek in a statement. “Overburdened and under-resourced security teams simply cannot apply physical patches fast enough to stay ahead of the attackers.
“Businesses continue to rely on legacy applications that can’t be patched or upgraded, creating yet another avenue of attack,” Holt said. “Now this CPU introduces a new range of flaws for hackers to try to exploit before cyber professionals can plug the holes over the coming months (or year).”