Oracle posts Java patch for bug that could result in 'complete compromise' of Windows machines
Oracle has released a patch for the CVE-2016-0603 security vulnerability.
Oracle has issued a security patch to close a Java vulnerability which if left unchecked could lead to 'complete compromise' of Microsoft Windows systems.
The security loophole is named CVE-2016-0603 and the bug fix has been released to address a vulnerability which can be exploited when Java version 6, 7, or 8 is installed on a Windows platform. The weakness is remotely exploitable, allowing attackers to compromise a network without the need for usernames or passwords.
However, in order to exploit the security bug, an attacker would need to trick the user into visiting a malicious website and downloading infected files to their machine before Java 6, 7, or 8 is installed.
But while this would be difficult to achieve, a successful exploitation of the vulnerability could result in "complete compromise" of a user's system, warned a post on the Oracle Software Security Assurance Blog about the patch.
Given that the risk of compromise only exists during the initial installation process, Oracle has assured users that those who are already using an existing version of Java aren't vulnerable to CVE-2016-0603.
Nonetheless, the company warns that "users who have downloaded any old version of Java prior to 6u113, 7u97, or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later".
The security patch is cumulative and therefore any network it's installed upon also receives all existing fixes from previous Critical Patch Updates and Security Alerts
As part of the security alert, Oracle warns users to check that they're running the latest version of Java Standard Edition (SE) and that older versions have been completely removed from the system.
The company has also recommended that users only download Java updates from official Java sources because alternatives might be "malicious".
Oracle has posted full details about the risks of the CVE-2016-0603 vulnerability and how to protect against it on its Technology Network.
Under the terms of a settlement with the US Federal Trade Commission which was reached in December last year, Oracle is now expected to warn users if they're running an outdated version of Java SE.