Oracle issues emergency Java patch for bug leading to system hijack

Users have been warned to patch their systems as soon as possible.
Written by Charlie Osborne, Contributing Writer

Oracle has released an emergency patch for Java which fixes a critical bug leading to remote code execution without the need for user credentials.

In a security alert posted Thursday, the tech giant said the flaw, CVE-2016-0636, is rather potent -- having achieved a rating of 9.3 through the Common Vulnerability Scoring System.

The bug is considered so severe as the flaw "can impact the availability, integrity, and confidentiality of the user's system."

If a user running an unpatched version of Java in either their browser or desktop, a single visit to a malicious page can lead to the remote exploitation of their system -- without any authentication details such as usernames or passwords.

Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X are affected. However, Java deployments in servers or standalone desktop applications -- which only run trusted code -- are not thought to be at risk.

Users should update their systems as soon as possible, since the severity of the flaw has forced Oracle to issue an out-of-schedule patch. You can download the fix here or accept automatic updates.

Last month, Oracle released a security patch for Java resolving CVE-2016-0603, which permitted attackers to fully compromise Windows machines.

Top gadgets and apps to protect your mobile devices

Read on: Top picks

Editorial standards