Oracle: Java Bug Allows ‘Complete Compromise’ Of Systems

Oracle has released a patch for a bug in Java that could allow a remote attacker to gain complete control of a Windows system.

The bug, which has been assigned the designation CVE-2016-0603, affects Windows users who attempt to install older versions of Java SE 6, 7 or 8, Oracle said.

‘Complete compromise’

An attack would be somewhat difficult to carry out, since the vulnerability only exists during the Java SE installation process, Oracle said. An attacker would need to trick a target into downloading malicious files before they attempted to install a vulnerable version of Java SE, according to the company.

“Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system,” Oracle said.

Users already running Java SE 6, 7 or 8 aren’t affected, but users who have previously downloaded versions prior to 6u113, 7u97 or 8u73 for later installation should discard the vulnerable software and replace it with newer versions, which include the patch, Oracle said.

Security woes

Java SE Advanced Enterprise installers aren’t affected by the bug, according to the company.

Oracle has faced an uphill struggle in keeping Java secure, and last month announced it plans to eliminate the Java browser plug-in by March 2017.

The company reached a settlement with the US Federal Trade Commission in December that requires it to warn users if they’re running out-of-date versions of Java SE.

Are you a security pro? Try our quiz!