January 2019 Patch Tuesday forecast: Partly cloudy followed by heavy fog around Java

2018 ended with a bit of excitement. Shortly after November Patch Tuesday we saw a pair of Flash Player zero-days (November 20 and December 5), which were followed by just about everything Microsoft could release on December Patch Tuesday. Then Microsoft released an emergency patch on December 19 to resolve a JScript zero-day that could be exploited through Internet Explorer simply by visiting a malicious website.

Fingers crossed, we might be looking at a lighter Patch Tuesday in January with a few more releases spread across the month. Here’s a rundown of the usual suspects.

January Patch Tuesday forecast

  • Microsoft – Expect Windows and Office updates. Likely we will see only one or two other products at most since the majority of the Microsoft products received updates in December.
  • Adobe – announced a prenotification for Acrobat and Reader (APSB19-02) with an expected release date of Thursday, January 3. You can also expect an Adobe Flash Player update on Patch Tuesday.
  • Oracle – is scheduled for their quarterly Critical Patch Update (CPU) on January 15, so don’t lose sight of this one. This will be the last general availability update for Java 8 JRE and the future of Java is a bit unclear. Read on for some rising concerns around this.
  • Mozilla – Firefox is likely due for another update either later this week or around Patch Tuesday. Firefox is pretty consistent on receiving updates once to twice monthly.
  • GoogleChrome 72 Stable Release is expected around January 29.

About that Oracle Java 8 JRE situation

On September 17, 2018 Oracle announced Java SE 8 End of Public Updates set for January 2019. The upgrade path for Java SE 8 was previously to upgrade to Java SE 10, but that EOL’ed in late September 2018 as well. So the new path is to upgrade to Java JDK 11. Yes, JDK. Why? Because there really isn’t a separate JRE any longer and this is where many companies are currently left scratching their heads. The Java Runtime is no longer packaged separately. In JDK 11 the software developers are supposed to package up only the necessary modules for their specific application using jlink or jmod.

In short, this will change the way you distribute your Java applications. For many companies the details are still a bit foggy. As a patch administrator your biggest concerns should be:

1. How long before you can remove legacy Java JREs from your environment? They will become a security liability over time. Software obsolescence is the cause of many security incidents. It is also a really fun word.

2. Under this new model how will security vulnerabilities be identified and how quickly will development teams be turning out updates? Then how will that update be distributed?

Don't miss