Oracle announces further Java security security woes

Oracle has just announced another potential Java vulnerability that could allow a remote attacker complete control of a Windows system.

The flaw, which appears as part of the Java SE installation process on Java SE 6, 7 and 8 is potentially critical in nature but would be very difficult to take advantage of it as it only appears during the installation process. There a remote attacker would have to trick a user into downloading files prior to running the installation, which would then allow the attacker to leverage the potential of the bug.

“Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system,” Oracle said.
“Users already running Java SE 6, 7 or 8 aren’t affected, but users who have previously downloaded versions prior to 6u113, 7u97 or 8u73 for later installation should discard the vulnerable software and replace it with newer versions, which include the patch,” Oracle said.

Oracle has confirmed that this bug does not affect the Java SE Advanced Enterprise installers. However, this is another in a list of security issues that have plagued Java in recent years. Lately Oracle announced it would be dropping the Java web server plug-in due to its numerous security issues in recent times.

Indeed when the major browsers dropped support for Java web server plug-ins Oracle was left with little option but to drop it in the latest release of Java, version 9.0.

Image source: Shutterstock/PathDoc