Emergency Java Patch

Wednesday, February 10, 2016 @ 02:02 PM gHale

Oracle’s issued out-of-cycle emergency Java patch to plug a during-installation vulnerability on Windows platforms.

CVE-2016-0603 is a complex bug that an attacker would have to trick a user into visiting a compromised Website before installing Java 6, 7 or 8. However, a successful attack results in a “complete compromise” of the target.

Oracle Releases 248 Security Fixes
Microsoft Patches Critical Holes in Jan
Microsoft Drops 20 CAs
IE Ending Support for Older Versions

Getting an attack to work would be very difficult, unless the attacker had also persuaded an end user that they’d clicked on an authoritative Java release even though they were nowhere near the Java Website.

For once, people with an existing clean install of Java don’t have to worry.

“However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later,” said Oracle security blogger Eric Maurice.

Oracle has provided no more public information on the nature of the bug.