Oracle has issued an emergency security update for Java to plug a critical flaw (CVE-2016-0636) that could be exploited by luring users to visit a web page hosting the exploit.
Oracle has chosen to push out an out-of-band update because the flaw is easily exploitable and because technical details about it have already been publicly disclosed (Oracle wisely does not point towards where they can be found).
It’s only a matter of time until the exploit will be included in a widely used exploit kit, so users are advised to upgrade to as soon as possible.
“This vulnerability may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle explained in a security alert.
“To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.”
The vulnerability affects Java SE running in web browsers on desktops – Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS – but not Java deployments that load and run only trusted code (typically in servers or standalone desktop applications).
If you’re not sure if you have Java installed on you computer, use this web tool to find out.
Also, once you update, be sure to uninstall any and all previous versions of Java you might still have on your machine.
The next Critical Patch Update for Java SE is scheduled for 19 April 2016.