Emergency Java update fixes two-year-old flaw after researchers bypass old patch
Oracle has released an emergency Java security update to fix a critical vulnerability that could allow attackers to compromise computers when they visit specially crafted websites.
The company has assigned CVE-2016-0636 as the identifier for the vulnerability, which suggests that it is a new flaw discovered this year, but that’s not really the case.
Polish security firm Security Explorations confirmed via email that the new Java update actually fixes a broken patch for a vulnerability that was originally reported to Oracle by the company in 2013.
Earlier this month Security Explorations announced that a patch released by Oracle in October 2013 for a critical vulnerability tracked as CVE-2013-5838 was ineffective and could be trivially bypassed by changing only four characters in the original exploit. This meant that the vulnerability was still exploitable in the latest versions of Java.