New Java bug leads to "complete compromise" of PC, warns Oracle

Oracle patches bug that affects new installations of Java 6, 7 and 8

Oracle has released yet another Java patch for Windows to fight a flaw that leads to "complete compromise" of a victim's computer.

An attacker would have to trick the victim into visiting an infected website before performing an installation of Java 6, 7 or 8, but would then find themselves with full control of the target system.

Advertisement - Article continues below

The fix patches the CVE-2016-0603 flaw, which affects new Java installations.

"Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability," Oracle wrote.

"However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later."

The latest update comes after last month's record-breaking 248-patch update, which saw the company release a slew of fixes in its largest ever single patch distribution.

The flaws fixed by the colossal update include errors not just in Java itself, but also in associated products and software.

Java has come under fire in the past for being insecure, with a host of security professionals advising that the software be ditched altogether.

In fact, Google recently announced that Android N would be making the jump from using Java APIs to an open-source variant, though Oracle is suing Google for the use of Java in the operating system.

Advertisement - Article continues below
Advertisement - Article continues below

Similar criticisms have also been levelled at Adobe's Flash software, which is notorious for introducing major security holes if left unpatched for any length of time.

21/01/2016: Oracle issues 248 patches to fix bug bonanza

Oracle has released 248 fixes for flaws in its software, in what is the biggest ever patch update by the vendor.

The patches apply to products including Oracle Database and Java, as well as Fusion Middleware, GoldenGate, Enterprise Manager, E-Business Suite, PeopleSoft, and supply chain tools.

The sheer number released in the January batch is 62 per cent higher than the 154 fixes Oracle issued in its last Critical Patch Update in October 2015, and Oracle urged customers to apply the updates as quickly as possible.

Three of the worst offending flaws affected Java, and held the highest security rating of 10.0.

Without detailing how these hacks worked, Oracle warned that cybercriminals could carry out seven Java exploits without the need for a username or password.

Advertisement - Article continues below

"Oracle strongly recommends that Java home users visit the website, to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed," the company urged.

Exploits affecting Oracle Database were not remotely executable, it added.

Analysing the latest swathe of patches, security research group ERPScan found that the number of vulnerabilities in Oracle's Enterprise products is on the rise, with E-Business Suite bugs accounting for 32 per cent of them.

It said: "It's almost a record number of vulnerabilities patched by a company in one product in one update ever."

Oracle credited ERP Scan, HP's Zero Day Initiative, Google's Project Zero, and even Anonymous, with finding the bugs.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020

K2View innovates in data management with new encryption patent

28 May 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular


Apple confirms serious bugs in iOS 13.5

4 Jun 2020

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020