This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Users still running Java 6, which is vulnerable to zero-day exploit

Share this article:

A 'critical' vulnerability impacting the out-of-date, but still widely used, Java 6 platform has been added to a commercially available exploit kit.

Timo Hirvonen, a senior analyst at security firm F-Secure, told that on Monday he first saw the bug (CVE-2013-2463) exploited in the wild via the Neutrino exploit kit. Although those users who have upgraded to the latest Java version, 7u25 released in June, are patched against the threat, users running Java 6 remain vulnerable to attacks.

Oracle, which maintains Java, dispatched its final fix for Java 6 in April, and now only organisations with support contracts have access to updates.

“An attacker can execute their own code on the system to infect it with malware,” Hirvonen said of the exploit. “It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website,” and unknowingly install the exploit kit, a process known as a drive-by download.

Hirvonen told that the exploit's proof-of-concept was made public last week, prior to in-the-wild attacks surfacing on Monday.

According to Oracle's June critical patch update advisory, the vulnerability was assigned a score of 10 out of 10 on Oracle's implementation of the Common Vulnerability Scoring System, the highest mark. The vulnerability lies in Java Runtime Environment's 2D sub-component, which is used to make two-dimensional graphics.

Wolfgang Kandek, CTO of cloud security firm Qualys, told on Tuesday that the use of Java 6 still is prevalent, opening up a significant number of users to the threat.

After analysing millions of endpoints throughout May, June and July, the firm found that about half of the users were still running Java 6 installations.

For organisations concerned about disrupting mission-critical applications, if they try to disable or update Java 6, considering many software applications still depend on the version, they should consider whitelisting Java applets through their browsers, a feature supported by Internet Explorer and Google Chrome, Kandek said.

However, the safest option, he advised, is to bite the bullet and upgrade to the patched version of the platform.

“[Java 6] is very widely used, and since it is out of support since April, there's no way to fix this other than to go to the Java 7 version,” Kandek said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.