ORACLE IS UNLEASHING enough patches to keep an army of tramp's trousers in order, and to secure whatever parts of its software might touch your life.
Update or suffer is the message here, as it always is. There is a lot to get on with, and plenty of comment from the insecurity industry about what makes this monthly visit, with its 150 or so tasks, so critical.
The Oracle Critical Patch Update Advisory October 2015 makes it clear that you should get onto this right away.
"Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes," the advisory said. "In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches.
"Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay. This update contains 154 new security fixes."
Affected products include Oracle Database, Mobile servers, Mobile Suite, Java, Fusion and GlassFish. PeopleSoft properties are also prone and patch-worthy, and Oracle recommends fixes for its enterprise expenses software and a whole lot more.
Security firm Malwarebytes reckons that things like this are a good reminder of why firms offer bug bounties, and why those that don't ought to. This is a nod in the direction of a blink-and-you-missed-it blog post by Oracle's chief security officer claiming that the firm can live without the assistance of external security researchers.
Judging by the acknowledgements on the official Oracle information, this is not the case. However, we assumed this when Oracle pulled down the blog post and made some soothing statements.
Malwarebytes, which has been known to spot a problem and flag it, was quick to note this, saying: "Any program can have an undiscovered security flaw, and that's why the last few years of bug bounty programmes have paid dividends.
"A company has finite resources, and it's well worth the cost of setting up a rewards programme to know that potentially anybody out there could be the one to spot something you've missed," said Chris Boyd, malware intelligence analyst at the firm.
"Bug fixing used to be a somewhat mysterious art, and I think demystifying the process with the help of more open dialogue between program creators and end users is a step in the right direction."
Another security firm, Shavlik, also weighed in, saying that this is a huge whack of patches to deal with, and offering some advice on the best way to untangle the official message.
The 154 vulnerabilities being addressed across all Oracle products is 29 more than in Microsoft's recent Patch Tuesday release and the updates from Adobe and Google combined.
"It can be difficult to sift through this much security data to prioritise what needs the most attention, but there are a few things you can use to narrow the priorities," said Chris Goettl, product manager at Shavlik.
"First, pay attention to the vulnerabilities that are remotely exploitable. This means they can be exploited across a network without authentication. With this in mind, Java SE and Middleware should ride to the top of your priority list.
"Java has 25 vulnerabilities being resolved, 24 of which are remotely exploitable. Middleware has 23 vulnerabilities, 16 of which are remotely exploitable." µ
You're not the voice, try and understand it
Not 'Appy bunnies
News reaches us, per Plex