Oracle has issued a high severity security alert for its popular Java software, warning of a bug which can allow remote code execution without authentication.
Known under the Common Vulnerabilities and Exposures (CVE) ID of CVE-2016-0636, the latest bug to be found in Oracle's popular Java platform is serious: Java SE 7 and 8 across Windows, Solaris, OS X, and Linux allows an unauthenticated attacker to run remote code on a system of his or her choosing. With Java often being used within browsers, exploitation is simple: just place malicious code within a webpage, or on a compromised advertising network for wider dissemination, and wait for alerts that users' computers are now under your direct control.
Warning that technical details regarding exploitation of the vulnerability have already been released, Oracle has issued a critical security alert
to all Java users. 'Due to the severity of this vulnerability and the public disclosure of technical details,
' the company warned, 'Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
While the attack is cross-platform, there is one small mitigation: deployments of Java on embedded devices and server environments are typically configured to run only trusted code, meaning that they are not at risk of running remotely-supplied and unauthenticated code even if the vulnerability is successfully exploited. Everybody else, however, should upgrade their Java install as soon as possible. If you're running Oracle's Java SE 7 Update 97, Java SE 8 Update 73 or Update 74, then it's time to upgrade.