This Security Alert addresses CVE-2016-0603 which can be exploited when installing Java SE 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.
To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.
Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.
As a reminder, Oracle recommends that Java SE home users visit Java.com to ensure that they are running the most recent version of Java SE and advises against downloading Java SE from sites other than Java.com as these sites may be malicious.
Note: The Java SE Advanced Enterprise installers are not affected.
The security vulnerability addressed by this Security Alert affects the products listed below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions:
|Java SE||Patch Availability |
|JDK and JRE 6 Update 111 on Windows only||Java SE|
|JDK and JRE 7 Update 95 on Windows only||Java SE|
|JDK and JRE 8 Update 71, 72 on Windows only||Java SE|
Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts.
|Product Group||Risk Matrix||Patch Availability and Installation Information|
|Oracle Java SE||Oracle Java SE Risk Matrix|| |
|2016-February-5||Rev 1. Initial Release|
Appendix - Oracle Java SE
Oracle Java SE Executive Summary
This Security Alert contains 1 new security fix for Oracle Java SE. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Java SE Risk Matrix