Out of the 25 vulnerabilities fixed in Java, 23 can be exploited remotely without authentication. Sixteen flaws affect only the client deployment and five affect both client and server deployments.

The most high-risk vulnerability fixed in this Java update is known as CVE-2015-2590 and had zero-day status until this update. This means attackers were already exploiting it while no fix was available. An exploit for this was uncovered by researchers from Trend Micro in attacks that targeted at the armed forces of an unnamed NATO country and a US defence organization.

The attacks were launched by Pawn Storm which is tied to Russia's intelligence services. The group has been active since 2007 and typically targets military, government and media organizations.

In addition to Java, Oracle also updated a wide range of other products, fixing a total of 193 vulnerabilities, 44 stemming from third-party components. Clearly it was a day for a confession or two.

Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL were all fixed.

Oracle released Java 8 Update 51, Java 7 Update 85 and Java 6 Update 101. Only the Java 8 update is publicly available, because general support for Java 7 and Java 6 ended some time ago and you will have to pay to have your system sorted out.