Emergency Java Security Fix Released for Windows
Oracle on Monday released an out-of-band patch aimed at fixing an issue when installing Java on Windows.
The vulnerability (CVE-2016-0603), which earned a CVSS Base Score score of 7.6, affects Java SE 6, 7 and 8. The flaw is considered relatively complex to exploit, explained Eric P. Maurice, director of Oracle Software Security Assurance, on that group's blog, but it might be worth the effort to attackers, because it results in a complete compromise of the user's system.
"To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8," Maurice wrote.
No upgrade to existing Java installations is required to address this vulnerability because the exposure exists only during the installation process. But Java SE users should delete any older version of Java SE (prior to 6u113, 7u97 or 8u73) that they may have downloaded and plan to install later. Those versions should be replaced with 6u113, 7u97 or 8u73 or later. The Java SE Advanced Enterprise installers are not affected by this vulnerability.
"As a reminder, Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed," Maurice added. "Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious."
Oracle recently settled with the Federal Trade Commission (FTC) over charges that the company deceived consumers by not informing them that its quarterly security updates left older, still vulnerable versions of Java running on some computers. Under the agreement, Oracle is required to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.
In January Oracle issued patches for 248 vulnerabilities across its product lines, including fixes for eight Java security holes, three of which were rated critical, earning CVSS scores of 10.0.
Oracle uses the Common Vulnerability Scoring System to provide an open and standardized rating of the security holes it finds in its products.
More information is available online.