Oracle Issues Out-of-Cycle Security Patch for Java on Windows
- By John K. Waters
Oracle Corp. has issued an out-of-cycle security patch to fix a vulnerability that can be exploited when installing Java on Windows. The vulnerability, which earned a CVSS Base Score score of 7.6, affects Java SE 6, 7 and 8.
The vulnerability (CVE-2016-0603) is considered relatively complex to exploit, explained Eric P. Maurice, director of Oracle Software Security Assurance, on that group's blog , but it might be worth the effort to attackers, because it results in a complete compromise of the user's system.
"To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious Web site and download files to the user's system before installing Java 6, 7 or 8," Maurice wrote.
No upgrade to existing Java installations is required to address this vulnerability, because the exposure exists only during the installation process. But Java SE users should delete any older version of Java SE (prior to 6u113, 7u97 or 8u73) that they my have downloaded and plan to install later. Those versions should be replaced with 6u113, 7u97 or 8u73 or later. The Java SE Advanced Enterprise installers are not affected by this vulnerability.
"As a reminder, Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed," Maurice added. "Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious."
Oracle recently settled with the Federal Trade Commission (FTC) over charges that the company deceived consumers by not informing them that its quarterly security updates left older, still vulnerable versions of Java running on some computers. Under the agreement, Oracle is required to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.
In January Oracle issued patches for 248 vulnerabilities across its product lines, including fixes for eight Java security holes, three of which were rated critical, earning CVSS scores of 10.0.
Oracle uses the Common Vulnerability Scoring System to provide an open and standardized rating of the security holes it finds in its products.
More information is available online.
John has been covering the high-tech beat from Silicon Valley and the San Francisco Bay Area for nearly two decades. He serves as Editor-at-Large for Application Development Trends (www.ADTMag.com) and contributes regularly to Redmond Magazine, The Technology Horizons in Education Journal, and Campus Technology. He is the author of more than a dozen books, including The Everything Guide to Social Media; The Everything Computer Book; Blobitecture: Waveform Architecture and Digital Design; John Chambers and the Cisco Way; and Diablo: The Official Strategy Guide.