July 15, 2014

Oracle today released a security update for its Java platform that addresses at least 20 vulnerabilities in the software. Collectively, the bugs fixed in this update earned Oracle’s “critical” rating, meaning they can be exploited over a network without the need for a username and password. In short, if you have Java installed it is time to patch it or pitch it.

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 65. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 11.

According to Oracle, at least 8 of the 20 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 9.0 or higher (with 10 being the most severe). Oracle says vulnerabilities with 9.x CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.

The trouble with Java is that it has a very broad install base, but many users don’t even know if they have it on their systems. There are a few of ways to find out if you have Java installed and what version may be running. Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).


69 thoughts on “Java Update: Patch It or Pitch It

    1. SeymourB

      But it was listed in the downloads area:
      http://www.oracle.com/technetwork/java/javase/downloads/index.html

      As soon as I saw this article was posted they were listed as available for download.

      I usually go to that page, as those installers normally lack the bundled crapware. Oracle has wisely chosen to not piss off the only people still supporting Java (by writing applets in it).

  1. Marius

    Typing “java” in the command line is likely to give a false negative for most users, personally i had to add jre/jdk to %PATH% manually.

  2. TheOreganoRouter.onion.it

    Not a big fan of Java, always thought it was a big browser memory hog , worse then Flash

  3. Daniel

    The “java -version” only works if you add the java install folder to the %PATH% variable. Type “set path” on cmd and there should be a path like “Program Files\Java\jdk1.7.0_06\bin” or similar.
    I added this manually when I started programming in Java. Since I don’t need to run applets, I just unchecked Run in Browser on the control panel for security. (Though I use the NoScript plugin with Firefox so I’m probably just paranoid.)

  4. Anonymous

    Bryan,

    Which version is safer (if we absolutely must use JAVA SE/JRE),
    Version 7 or Version 8?

    1. Sasparilla

      They should both be up to date.

      Version 8 will continue to be patched longer (since its the newer version), so I’d go with 8 if you don’t have a preference.

      It’s also good to point out that its the Java browser plugin that has the security holes – but these are the holes the bad guys use to run bad stuff – Java itself is relatively secure (and is the reason it continues to be used on business servers).

      1. SeymourB

        Not necessarily just the plugin. Applets can be downloaded and run by neophyte computer users and those exploits can then be run without a web browser involved at all.

        Sometimes the miscreant will use another program to exploit, say (just as an example) your email software, and from there will piggyback onto Java or another OS level program without involving a browser at all.

        It’s certainly safer to have the Java plugin turned off, but safest of all is to either not have Java installed at all or to have it fully patched.

      2. rick

        Strongly agreed! Except as mentioned sandbox exploits after download can be done also.

        I love all this forgetting history, where Java is somehow the most insecure gateway to mayhem there ever was.

        Tech evolves. Way back it was activex that was really bad. Along comes java, the savior of security, with the concept of a good sandbox, signed apps etc. This worked great and was the hero of the web for quite a while.

        But as attacks become more sophisticated, a new approach evolved, javascript is becoming better at doing things only java applets could do, so there you go. Java’s web role is not needed as much.

        So it’s still a powerful language for apps and servers, and it’s fairly secure.

        Watch as years go by and javascript goes from hero to ‘riddled with security holes!’

  5. Canuckla

    download.oracle.com uses an invalid security certificate.

    The certificate is only valid for the following names: *.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net (Error code: ssl_error_bad_cert_domain)

    Now why am I not surprised that their web site is hacked or misconfigured in a way that compromises security and trust? 😛

    1. Anonymous

      I better delete the installer I just downloaded from their site. Glad I haven’t installed it yet.

    2. Harry Johnston

      Do Oracle advertise a https version of the download link?

      In any case, you can (and should) check the certificate on the executable after downloading it.

      1. Canuckla

        Check the certificate on the executable? How? I don’t know that Firefox can do anything of the sort — just download it and stick it in a folder somewhere.

        1. Vee

          Files hashes. https://en.wikipedia.org/wiki/File_verification

          So check your download with this for reference: http://www.oracle.com/technetwork/java/javase/downloads/javase8-binaries-checksum-2133161.html

          Another method you could use is just simply uploading it to https://www.virustotal.com/ and if others have uploaded that same file then it’s a high chance you have the legit download. But VirusTotal will also easily tell you the file hash of whatever file you upload under “Additional information”.

          1. Canuckla

            Are you crazy? Those Java downloads are forty or fifty megs. I’m not uploading them anywhere. As for those checksums, I don’t suppose there’s any way I can just click a couple of buttons and get either an “OK” or some sort of a security warning the way there is with the dodgy SSL certificate? If I’d have to download some other software to do this, then that’s a chicken-and-egg problem. Or am I expected to do a bunch of nasty math, or program something myself?

            I’d much rather I could just trust download.oracle.com to actually be download.oracle.com and cannot think of one single good reason why I shouldn’t be able to. SSL isn’t exactly bleeding edge, it can’t be that difficult for Oracle of all companies to get it right on their web site.

            Unless, of course, they did but someone else hijacked their DNS entry. Which is what the browser is warning is likely to be the case.

            1. Vee

              ….

              You want real security or do you want a program that gives you an automated green “ok” mark?

              I gave you solid ways of verifying a file. The only way a HTTPS iffy setup would hurt you is in the case of a man in the middle attack, which if there was one on http://download.oracle.com then other security newsites would be reporting on it, because it’d be a huge story. But also the download would probably have a different hash.

              Basically, HTTPS enabled sites can have forged certificates and man in the middle attacks, but that’s not happening on http://download.oracle.com and your Java download is fine. It’s your browser trying to force the site into using HTTPS and the certificate not matching their download domain.

              Meaning, just get rid of the “s” in the “https://” download link, and it’ll download fine without any notification.

              1. Canuckla

                “I gave you solid ways of verifying a file.”

                No, you didn’t. You didn’t say anything about how I could go about doing that without either doing a great deal of technical stuff myself or downloading yet another executable from somewhere (and verifying that one how, exactly?) even when I specifically asked for that information.

                1. Vee

                  Just “upload” the file to VirusTotal (it won’t upload, because it’ll already be uploaded. But you’ll be able to check the file hashes)

                  If the download file is legit, it’s moot how their download domain is setup because the whole point is to receive the file you’re meant to receive. More than 90% of the stuff you download over the internet is HTTP anyway, yet you don’t lose sleep over verifying all of it.

                  1. Canuckla

                    How would the browser “know” whether VirusTotal already had a file with the same hash as a local file, other than by uploading the file first? Browsers don’t hash files, the last time I checked. VirusTotal might hash files, but it would need a copy to hash it. Really, I don’t see a way around it — to get the forty meg executable hashed I’d have to either upload it somewhere or download and run some other executable that does file hashing.

                    And that, of course, assuming I could get it in the first place, while observing my resolutions to not use IE and to not poke lasting holes in Firefox’s security by granting SSL exceptions.

          2. Alex

            Ah, now there you go wrong. A file hash is *NO* guarantee that the file was built by Oracle (in this case).

            A file hash will prove that the file has not been corrupted during the download, that it is the same as the one the vendor uploaded.
            If an attacker has the ability to upload a malicious file, she or he has the ability to change the webpage with the checksum of the malicious file as well.

            A signed binary’s signature can under MS Windows be inspected by simply right-clicking and selecting properties.

            1. Canuckla

              It’s moot anyway. I can’t even download the file to check it against anything else. Firefox doesn’t give me an option to just ignore the security warning just the once; I have to either create an exception for download.oracle.com or leave it, and I don’t want to be poking lasting holes in the darn thing. And I’m pretty sure I tried changing https to http and it just redirected right back to https.

              (That, and the lack of an opposite redirect or an error such as “connection reset” when download.oracle.com is contacted on the https port also seems to disprove the hypothesis that download.oracle.com isn’t configured for https. If it weren’t, why would it answer https requests with anything other than a redirect, let alone give some other random site’s certificate?)

              Oracle needs to fix its website.

                1. Canuckla

                  OK, “Vee”, you’ve just lost all credibility with me on the matter of computer security. First you tell me to ignore an SSL warning that a domain I tried to reach is apparently not who it says it is, and then you tell me to use Internet Exploder? Yikes!

                  1. Vee

                    I can’t tell if you’re so black and white minded that you honestly can’t help it or if you’re just baiting to fight.

                    Especially considering you yourself probably had to use Internet Explorer to download the Firefox you’re using now… And considering this is all over download a Java installer.

                    My mind is blown.

                    1. Canuckla

                      If you must know:

                      a) I get Firefox onto new or reinstalled systems by downloading it in Firefox on another machine and copying the installer to the target machine using media or a LAN; and

                      b) I use Java to run local software, not applets. Every browser I have either lacks a Java plug-in entirely or has it set to “click to play” (plus, I use NoScript).

      1. Canuckla

        In what way can it possibly be “harmless” that when I try to contact download.oracle.com I get a site offering SSL certificates for some completely unrelated domains? That’s a strong hint that the machine responding to attempts to reach download.oracle.com is not the real download.oracle.com.

        In any event, it smells and advice to ignore security warnings and download an executable anyway, despite indications that someone other than Oracle but pretending to be Oracle might end up being the source of it, doesn’t seem very sound to me. Aren’t we supposed to be in favor of not getting into bad habits like ignoring security warnings around here?

        1. Rick

          Akamai is just a distributed content delivery network. They’re trustworthy.

          1. Canuckla

            Are you claiming they’re hosters that are/may be hosting Oracle? Even if they are, there’s no guarantee whatsoever that they’re not also hosting some blackhat that hijacked Oracle’s DNS entry. And then how would I know which one was which, unless one presented a valid certificate for the domain download.oracle.com?

            1. Lord Crypto

              Akamai is *very* trustworthy, the only real issue they have is that they can be ‘lawfully’ backdoored by a certain Government Agency That Shall Be Unnamed Here.

              If you ever downloaded Windows Updates, you received them from Akamai. The issue here is Oracle is being Uncle Scrooge and doesn’t want to shell out a few bucks to let Akamai install a DECENT certificate.

              1. Canuckla

                Reread my previous comment. The trustworthiness of Akamai is irrelevant. To trust an executable from a random Akamai node that I cannot verify is actually download.oracle.com means I’d have to trust Akamai and every single one of Akamai’s customers, any of whom could actually be serving that executable file.

                Put another way, consider this scenario: bad guy rents hosting from Akamai. Bad guy uploads questionable executable to their web
                space, with a path and filename that matches a Java download at download.oracle.com, say /downloads/java7u65.exe. Bad guy downloads it again and notes the IP address the browser actually fetches from. Bad guy hacks DNS so that download.oracle.com now points to that IP address. Unsuspecting user goes to “oracle.download.com”, gets the certificate mismatch, skips past it (somehow, maybe by not using Firefox, or creating a permanent exception?), and downloads the bad guy’s executable …

                Now tell me how to distinguish the above situation from actually getting Oracle’s file and Oracle merely having misconfigured the download.oracle.com domain’s SSL.

                I don’t think I can. The whole point of SSL certificates is to enable me to tell whether I’ve reached the real download.oracle.com.

                1. CodeMonkey

                  Perhaps you should quit using computers all together as that would be the best bet to circumvent infection of malware and/or someone hacking you. Read the error message. Computers produce them all the time. Not all error messages constitute foul play. Paranoia is not a good security solution, it is just a good way to lose sleep, jump at shadows, and be an irritating prick. Arm yourself with information gained through research and try not to annoy those who are genuinely trying to help by offering advise.

                  1. Canuckla

                    Way to completely and utterly fail to address any part of my argument there, bozo.

                    Now, tell me again why I should trust not only Akamai but all of Akamai’s customers as well? Or else admit that you are wrong.

        2. Vee

          Because that one actually is perfectly fine to ignore. I’m almost certain it’s being triggered by a false HTTPS Everywhere ruleset. Do you also use HTTPS Everywhere (or another HTTPS type of extension)?

          The issue is that they don’t have HTTPS configured to their download page (which is HTTP by default under IE). Yet, for whatever reason (again, for me I’m betting it is HTTPS Everywhere) our browsers are trying to connect using HTTPS. The issue is on OUR end.

          1. Canuckla

            I’m pretty sure that no scary security warning from the browser is “perfectly fine to ignore”. Either users should ignore it when domain A tries to proffer the certificate for domain B, or users shouldn’t. I’m pretty sure that the first case means the terrorists win, so I think I’ll choose what’s behind door #2.

            1. A

              Actually self-signed certificates that give scary warnings can be more secure than a big green “OK” a browser is programmed to give you, and it depends on the situation… Generally security authorities are trustworthy but the green ok is just a specific programmed situation that means something has a minimum level of encryption and the company purchased the certificate from an “authority” the browser is programmed to trust. It’s ridiculous to get into it too much here, but the big green ok you’re used to isn’t the end all be all of how secure a connection is.
              The key is understanding what you’re actually seeing.
              If you create your own self-signed certificate for your own website you’ll have no trouble identifying it and setting up a highly secure https site regardless if you paid a certificate authority to “certify” it and add their own code to it to “verify” you to others.
              So once you are a security professional you can more securely judge a situation by more than a big green ok sign, which people are trying their best to help you with, because I doubt we’re going to get oracle to fix this for you..
              I don’t recommend ignoring warnings in general, but if you understand what they’re really saying they’re not all scary.

    3. bob

      It’s a misconfigured CDN. If the certificate belongs to akamai.com it’s ok.

      1. Canuckla

        It’s a misconfigured whaaa?

        Not that it matters. Which is the better outcome: web sites configure SSL correctly, along with whatever ancillary bits of technobabble, or users start ignoring security warnings from their browsers?

        Or put another way: Which outcome would the black hats prefer? Whatever the answer is to that, we should do the opposite. And I’m willing to bet that in this instance “the opposite” means “Oracle fixes their web server”.

        1. timeless

          As noted elsewhere Oracle needs to pay for a slightly more expensive level of service from Akamai, one which gives Akamai a certificate for download.oracle.com, and where Akamai allocates IP addresses just for the specific server.

          afaict, Akamai doesn’t offer SNI (partially because IE for Windows XP doesn’t support it).

          1. Canuckla

            I don’t know much about half of that (my knowledge is mainly client-side stuff) but I can tell you that that’s no excuse. Microsoft doesn’t support Windows XP anymore, so what Windows XP supports ought to be considered irrelevant nowadays. XP is yesterday’s news.

            1. A

              It basically comes down to understanding.
              If you know what you’re looking at, you can judge a self-signed certificate giving browser warnings as more secure than something that gives you a big green ok just because Verisign goofed up.
              “browser warnings” are often a function of money paid to a certificate authority and less of an indication of trustworthiness. It’s a green checkbox someone paid for from a company you’re generally accepting as trustworthy to take the money and “certify” them.
              In other words, if I were you, I’d trust the people telling you how to update it rather than fuss about exposing yourself to real security risks just because oracle didn’t pay to setup a certificate right.. Bad if you’re worried about permanent exceptions doesn’t Firefox let you edit or revoke it when you’re done? (Tools-options-security-exceptions)…

  6. JCitizen

    Unfortunately, many of my clients still have to use java on end of life XP – so this is the end of the road for many of my poor clients. All I can do is point to Linux or, many of the aggressive protections still available to XP users.

    1. Maureen

      Hi, J. By “aggressive protections” are you referring to anti-virus? I’m asking because I had two laptops running XP and I installed LInux on one, but since I’m a newbie with it I did leave XP on the other. I rarely use the internet on that one though and I do have an anti-virus software on it. Just curious about your advice to people who are still using XP. Thanks.

      1. Vee

        Over at the http://www.wilderssecurity.com/ forums, the gist is that if you lock down an XP machine you can make it secure enough. It’d always be better to switch to an OS that’s still actively supported and updated of course by the developers, but it’s not the end of the world to have a few secondary systems that still run XP for whatever reason.

        That’s a decent way to slowly get into Linux as well, to always have a backup Windows system. Then the learning curve isn’t so bad.

      2. JCitizen

        Thank you Vee, that is always a useful link! 🙂

        Some of the free options are Steady State, which is mentioned in one of Brian’s new articles. If you have a version of XP that is the Professional version, there are some MMC snap-ins and group policy tricks that help a great deal. You can search engine on TechNet and find many of those.

        Then there is EMET – I believe 3.0 works on XP, surely all versions are available some where. Other than that, it would be paramount to build a good blended defense, up to a limit as far as your RAM and CPU will allow. I still have some success fending off attacks in my honey-pot lab using a combination of one good free AV and several AM solutions – preferably ones that mix passive and active protections. There are only two free firewalls I recommend, and I’m not sure Emisoft’s is still free, but Comodo’s still is, and has a good HIPs. Some folks like WinPatrol as a fairly good heuristic intrusion protection system. I pile on Active X blockers like SpywareBlaster and also browser controls by Spybot Search & Destroy. They are getting old,, and long in tooth, but are still resistant to malware manipulation, and use passive real time protection. Anything like that is going to help, even if it is redundant with other products – especially if one of them fails a malware attack. Malwarebytes Anti-Malware is not free for real time protection, but their anti-exploit tool is, and that counts as real time protection in my book. I’ve never tried one for XP, but I’m sure someone makes a white-list for processes for that old venerable software. I should think it would work at least as well as Parental Controls in Vista. I only use the processes part of that utility on Vista. Rapport is still the best anti-key-logger/screen shot blocker I’ve ever tested.

        I would never surf with IE-8 now that it is vulnerable, so using FireFox or Comodo Dragon can at least help, especially if NoScript or ScriptSafe and AdBlock Plus are installed as extensions. And last but not least I always clean with CCleaner before logging off or shutting down.

        1. JCitizen

          P.S. – Even if the operating system can’t be updated, it has become even more important to update the applications and get rid of end-of-life files. Secunia PSI and File Hippo’s Update Checker can be useful for that.

  7. velcro

    Q1
    Does Java also make PCs vulnerable,
    if they run Ubuntu 12.04 Linux?

    Q2
    How to tell if
    a – my Linux PC has Java installed and
    b – any installed programs are using Java?

    thanks for any pointers!

    1. bob

      The issues listed here tend to focus on the web browser plugins. The instructions at the bottom of Brian’s link are OS independent.

      Whether or not you’re running Java apps is irrelevant. Assuming you have a firewall, you should be ok.

      1. velcro

        Thank you Bob and Vee.
        I’ll make sure I disable Java in my FF browser…

    2. Vee

      Most Linux distros do come with some form of Java by default, usually OpenJDK or Oracle Java. For Ubuntu see: https://help.ubuntu.com/community/Java

      Like bob said, the issue is from the web browser plugin, so just disable it in your web browser. I wouldn’t remove it entirely from a Linux distro, there could possible be dependency issues.

  8. Old School

    Each time I notice one of these JAVA articles I am even happier that I removed JAVA from my PC years ago. Thanks Brian! JAVA: Don’t have it, don’t miss it.

  9. Mat2

    Fortunately Java now defaults to click-to-play (irrespectively of the browser used).

    Oracle is a fool that they still support Web Applets. They should mark the whole code deprecated and remove it in Java 9 (while supporting updates for older versions).

    Java installers should not install support for web applets by default.

  10. JP

    Aside from the updates that correct the problem, I see mentions of the top most updates of Java being affected in the advisory.

    For example

    Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

    Does this mean that ONLY these versions are affected or predecessors like Java 7u55,45,40, etc ?

  11. Harry S

    Although the recommendations for removing Java are more consumer oriented, I would clarify that most of the problems with Java are client-related and not server-related (i.e. most issues do not affect web sites or back-end systems powered by Java).

    In this case, I think 3 of the 20 issues affect server-side, and none have high scores (although in any single specific case it could be important).

    Regardless, Java on the client side is not a good idea.

  12. Stratocaster

    And then there are those of us who are still stuck with either internal enterprise web apps or third-party applications (or both) which will only run on Java 6. Wish we could pitch it.

  13. Joe Dirt

    We only have to run old java versions because of Oracle’s other software.
    Hhhmm, seems to be a pattern.

  14. timeless

    The scarier version of the https: issue, from my perspective is that Oracle’s downloader brings me to:
    http://java.com/en/download/installed.jsp

    So, if I were in, e.g., an Internet cafe, and someone decided to MITM me, they could easily convince me to click the link:

    Verify Java and Find Out-of-Date Versions

    Check to ensure that you have the recommended version of Java installed on your Windows computer and identify any versions that are out of date and should be uninstalled.

    Agree and Continue Properties / alt-enter)
    Click the “Digital Signatures” tab.
    Double click the row under “Name of signer”

    It should say:
    Digital Signature Information
    This digital signature is OK.

    the signer should be Oracle America, Inc.
    If you click View Certificate, and then click certification path, it should be:
    VeriSign
    VeriSign Class 3 Code Signing 2010 CA
    Oracle America, Inc.
    (dismiss the dialog)

    There should be a countersignature, from Symantec Time Stamping Services Signer – G4.

    If you double click it, and click view certificate, you can check the certification chain:
    Thawte Timestamping CA
    Symantec Time Stamping Services CA – G2.
    Symantec Time Stamping Services Signer – G4.

    This is more or less the official way to check code-signed applications.
    You really shouldn’t run Windows applications which aren’t code-signed.

    You can read a bit about code signing here: http://en.wikipedia.org/wiki/Code_signing

  15. NilsQ

    If I understand correctly, those are, again, security flaws related to Java Applets only.
    So any user that has deactivated Java in browser (which is possible since a while now) is not vulnerable to this, correct ?

    Thanks already for the upcoming clarification 🙂

  16. Rogerio

    Como eu faço para baixar o Oracle Critical Patch Update Advisory – July 2014?

  17. Lou

    In general, the issues with Java are all related to applets running in the browser.

    Essentially, you can consider running Java in the browser as equivalent to running a random full-fledged program you downloaded from a random website. Just like running “that neat animated monkey app from some random programmer in Russia” is a bad idea, running random Java applets in the browser itself is also a bad idea.

    What makes it tricky is that unless you have click-to-play or some other browser configuration set up properly, Java applets can run in your browser automatically without you knowing it (though newer browsers often add an extra layer of defense by warning you before they run Java, at least).

    If you’re running Java on your desktop, it’s a different can of worms. There are many legitimate programs written in Java that require it to be installed (Minecraft, multiple programmer’s tools such as Eclipse, Netbeans, IntelliJ, and so on). In that case, Java is at most no worse than any random Windows, Mac, or Linux program you download from anywhere. If it came from a legitimate source, you’re probably okay. In fact, one could argue that Java is at least a smidge more secure than the most commonly used languages for developing apps, C and C++, because (and I’m trying not to get too technical here) it has some built-in features that make it impossible make some of the most common security mistakes in C and C++.

    1. Rogerio

      These are vulnerabilities that need correcting.

      Oracle CPU January 2010: Listener

      Missing Oracle Critical Patch Update (CPU) for October 2009

      Missing Oracle Critical Patch Update (CPU) for July 2006

      Missing Oracle Critical Patch Update (CPU) for January 2007

      Missing Oracle Critical Patch Update (CPU) for October 2006

      Oracle CPU January 2010: OLAP

      Oracle Database Obsolete Version

      Oracle CPU July 2010: Net Foundation Layer

      Oracle CPU July 2010: Listener

      Oracle CPU April 2010: Core RDBMS

  18. Rogerio

    Is there any way to update security patches from Oracle 10g?

    1. JCitizen

      If you are referring to java – I’ve had better luck using the updater in the programs file list. I’ve never been able to use the Control Panel applet – in fact it disappeared after the last successful update. Lately I’ve not been able to successfully update java at all. Unfortunately I need it so I can check some security applications, including my ATM appliance. So much for security!

  19. Rogerio

    I’m not talking about Java, I need to update the security patches from Oracle 10g.

Comments are closed.