Late last week, Oracle released an out-of-band emergency patch for Java to address a security hole affecting anyone installing the tool on Windows devices.
The software maker said in a security alert the successful exploitation of the vulnerability, dubbed CVE-2016-0603, could lead to a complete compromise of a victim’s system.
“To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user’s system before installing Java 6, 7 or 8,” explained Eric P. Maurice, director of Oracle’s Software Security Assurance Group.
“Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system,” Maurice noted.
The vulnerability was given a CVSS Base Score of 7.6, which is considered “high” severity.
Oracle added that because the exposure exists only during the installation process, users are not required to upgrade existing Java installations to address the bug.
However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later, read the security notice.
Meanwhile, the company recommends Java home users visit Java.com to ensure they are running the latest version of Java SE and that older versions of the tool have been properly removed.
As always, users are encouraged to avoid downloading Java from unofficial sites, as these sites may be malicious.
The complete advisory for Security Alert CVE-2016-0603 can be found here.