Out-of-Band Java Update

Friday, March 25, 2016 @ 03:03 PM gHale


Oracle released an emergency security update for Java to plug a critical flaw an attacker could exploit to attract users to visit a web page hosting the exploit.

Oracle pushed out an out-of-band update because the flaw is easily exploitable and because technical details about it have already been publicly disclosed.

RELATED STORIES
Emergency Java Patch
Oracle Releases 248 Security Fixes
Microsoft Patches Critical Holes in Jan
Microsoft Drops 20 CAs

It’s only a matter of time until the exploit will be in some type of exploit kit, so the company said users should upgrade as soon as possible.

“This vulnerability may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle said in a security alert.

“To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability.”

The vulnerability affects Java SE running in web browsers on desktops – Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS – but not Java deployments that load and run only trusted code (typically in servers or standalone desktop applications).