New Java bug leads to "complete compromise" of PC, warns Oracle

News
8 Feb, 2016

Oracle patches bug that affects new installations of Java 6, 7 and 8

Oracle has released yet another Java patch for Windows to fight a flaw that leads to “complete compromise” of a victim's computer.

An attacker would have to trick the victim into visiting an infected website before performing an installation of Java 6, 7 or 8, but would then find themselves with full control of the target system.

The fix patches the CVE-2016-0603 flaw, which affects new Java installations.

“Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability,” Oracle wrote.

“However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.”

The latest update comes after last month’s record-breaking 248-patch update, which saw the company release a slew of fixes in its largest ever single patch distribution.

The flaws fixed by the colossal update include errors not just in Java itself, but also in associated products and software.

Java has come under fire in the past for being insecure, with a host of security professionals advising that the software be ditched altogether.

In fact, Google recently announced that Android N would be making the jump from using Java APIs to an open-source variant, though Oracle is suing Google for the use of Java in the operating system.

Similar criticisms have also been levelled at Adobe’s Flash software, which is notorious for introducing major security holes if left unpatched for any length of time.

21/01/2016: Oracle issues 248 patches to fix bug bonanza

Oracle has released 248 fixes for flaws in its software, in what is the biggest ever patch update by the vendor.

The patches apply to products including Oracle Database and Java, as well as Fusion Middleware, GoldenGate, Enterprise Manager, E-Business Suite, PeopleSoft, and supply chain tools.

The sheer number released in the January batch is 62 per cent higher than the 154 fixes Oracle issued in its last Critical Patch Update in October 2015, and Oracle urged customers to apply the updates as quickly as possible.

Three of the worst offending flaws affected Java, and held the highest security rating of 10.0.

Without detailing how these hacks worked, Oracle warned that cybercriminals could carry out seven Java exploits without the need for a username or password.

“Oracle strongly recommends that Java home users visit the java.com website, to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed,” the company urged.

Exploits affecting Oracle Database were not remotely executable, it added.

Analysing the latest swathe of patches, security research group ERPScan found that the number of vulnerabilities in Oracle’s Enterprise products is on the rise, with E-Business Suite bugs accounting for 32 per cent of them.

It said: “It’s almost a record number of vulnerabilities patched by a company in one product in one update ever.”

Oracle credited ERP Scan, HP’s Zero Day Initiative, Google’s Project Zero, and even Anonymous, with finding the bugs.

 

Read more about