Oracle's fired off an out-of-cycle emergency Java patch to plug a during-installation vulnerability on Windows platforms.
Dubbed CVE-2016-0603, the bug is complex, in that an attacker would have to trick a user into visiting a compromised Website before installing Java 6, 7 or 8. However, a successful attack results in a “complete compromise” of the target.
Getting an attack to work would be very difficult, unless the attacker had also persuaded a suitably inept end user that they'd clicked on an authoritative Java release even though they were nowhere near the Java Website.
For once, people with an existing clean install of Java (that is, an install that hasn't been compromised by anything else) don't have to worry.
“However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later”, Oracle security blogger Eric Maurice writes.
Oracle has provided no more public information on the nature of the bug.
It's been a busy year already for Big Red, with a record-breaking 248 patches dropped last week. ®