Oracle has patched a vulnerability (CVE-2016-0603) in Java SE (Standard Edition) 6, 7 or 8 on the Windows platform, which could be exploited by attackers looking for ways to completely compromise a target’s system.
“To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user’s system before installing Java SE 6, 7 or 8,” the company explained in a security advisory released on Friday.
“Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.”
Despite the relative complexity of a successful attack, the flaw is deemed to be of high-severity because it can be exploited over a network without the need for a username and password, and can lead to complete system compromise.
Given that Oracle has issued this security alert, it means that they consider this fix too critical to wait for distribution in the next Critical Patch Update (scheduled for 19 April 2016).
The bug doesn’t affect Java SE Advanced Enterprise.