Oracle issues emergency Java patch for bug leading to system hijack
Oracle has released an emergency patch for Java which fixes a critical bug leading to remote code execution without the need for user credentials.
In a security alert posted Thursday, the tech giant said the flaw, CVE-2016-0636, is rather potent -- having achieved a rating of 9.3 through the Common Vulnerability Scoring System.
The bug is considered so severe as the flaw "can impact the availability, integrity, and confidentiality of the user's system."
Security
If a user running an unpatched version of Java in either their browser or desktop, a single visit to a malicious page can lead to the remote exploitation of their system -- without any authentication details such as usernames or passwords.
Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X are affected. However, Java deployments in servers or standalone desktop applications -- which only run trusted code -- are not thought to be at risk.
Users should update their systems as soon as possible, since the severity of the flaw has forced Oracle to issue an out-of-schedule patch. You can download the fix here or accept automatic updates.
Last month, Oracle released a security patch for Java resolving CVE-2016-0603, which permitted attackers to fully compromise Windows machines.
Top gadgets and apps to protect your mobile devices
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?