Out-of-Band Java Security Patch Released for Windows

Oracle has released an emergency fix that looks to address an issue when installing Java on Windows.

The vulnerability (CVE-2016-0603), which earned a CVSS Base Score score of 7.6, affects Java SE 6, 7 and 8. The flaw is considered relatively complex to exploit, explained Eric P. Maurice, director of Oracle Software Security Assurance, on that group's blog, but it might be worth the effort to attackers, because it results in a complete compromise of the user's system.

"To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8," Maurice wrote.

No upgrade to existing Java installations is required to address this vulnerability because the exposure exists only during the installation process. But Java SE users should delete any older version of Java SE (prior to 6u113, 7u97 or 8u73) that they may have downloaded and plan to install later. Those versions should be replaced with 6u113, 7u97 or 8u73 or later. The Java SE Advanced Enterprise installers are not affected by this vulnerability.

"As a reminder, Oracle recommends that Java home users visit to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed," Maurice added. "Oracle further advises against downloading Java from sites other than as these sites may be malicious."

Oracle recently settled with the Federal Trade Commission (FTC) over charges that the company deceived consumers by not informing them that its quarterly security updates left older, still vulnerable versions of Java running on some computers. Under the agreement, Oracle is required to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.

In January Oracle issued patches for 248 vulnerabilities across its product lines, including fixes for eight Java security holes, three of which were rated critical, earning CVSS scores of 10.0.

Oracle uses the Common Vulnerability Scoring System to provide an open and standardized rating of the security holes it finds in its products.

More information is available online.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus