14 DAY TRIAL // Big Red has issued an urgent security fix for its cross-OS Java runtime that aims to repair a security flaw that's been lying around for 2.5 years.
Identified as CVE-2016-0636, this bug is actually the second fix for CVE-2013-5838, which Oracle supposedly patched in October 2013.
At the start of the month, Polish security firm Security Explorations decided to publicly disclose that Oracle failed to properly assess and patch CVE-2013-5838, which they first discovered in early 2013.
Oracle had to scramble for a fix as details were made public with no warning
The company candidly admitted that they haven't notified Oracle at all prior to their reveal, explaining that it was Oracle's job to implement and test the patch, and not their responsibility.
Two weeks later following this regrettable incident, Oracle is now issuing a new patch for the original problem, via new versions: Java SE 7 Update 99, and 8 Update 77.
As the company explains, this issue, which has a severity score of 9.3/10, is exploitable from remote locations, just by tricking a user into accessing a malicious website.
The bug is dangerous when chained with other exploits
The bug works on Java SE running in Web browsers on desktops, on Windows, Solaris, Linux, and Mac OS. Oracle has made it clear that Java’s default security levels and click-to-play policies prevent automatic exploitation of this bug without user interaction. By the use of clever social engineering tricks, attackers could still get around these limitations.
The issue at its core it's a mere sandbox escape, which allows an attacker to run malicious code outside Java's strictly controlled runtime.
By chaining other exploits to this original point of entry, a malicious party can then escalate his attack and target the underlying browser or operating system. As Oracle explains it, "Successful exploits can impact the availability, integrity, and confidentiality of the user's system."
All users are urged to update their Java installation as soon as possible. Latest Java JRE SE downloads are available on Oracle's website, or from one of our mirrored downloads.