On Friday, Oracle announced a Security Advisory for Java that is out of their normal Quarterly CPU cycle. This udpate resolves one critical vulnerability that an attacker would need to exploit before Java is installed on the target system. Exploiting CVE-2016-0603 would allow the attacker to completely control the target system if exploited but, to exploit the vulnerability, an attacker would have to convince a user to open specially crafted content and this would have to occur before Java is installed on the target system using an installer older than the newly updated versions (6u113, 7u97, or 8u73).
Oracle is also recommending “users who have downloaded any old version of Java prior to 6u113, 7u97, or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later”. This would prevent an attacker from taking advantage of the vulnerability in the future. Since this vulnerability affects windows systems installing Java, current instances are not as urgent of a concern. The immediate action is to remove older versions and only install using the latest release for each version.
Happy Patch Week!