The company says Java installers with version numbers below 6u113, 7u97, 8u73 are vulnerable to the attack. The flaw is quite complex to exploit though, it requires the planting of malicious DLLs into the browser's download folder, which will only be executed if the user executes one of the vulnerable install clients:
The reason is that older Java installers are designed to look for and automatically load a number of specifically named DLL (Dynamic Link Library) files from the current directory. In the case of Java installers downloaded from the Web, the current directory is typically the computer's default download folder.
If an attacker manages to place a specifically named malicious DLL into a computer's "Downloads" folder, that file will be executed when the user tries to install Java for the first time or when he manually updates an existing Java installation by downloading and running a new installer.
"Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system," said Eric Maurice, Oracle's software security assurance director, in a blog post.