Java 6 users vulnerable to zero day flaw, security experts warn

Java 6 users vulnerable to zero day flaw, security experts warn

Summary: If businesses have failed to update the widely used but out-of-date Java 6 platform, they may be at heightened risk of cyberattack thanks to additions to commercial exploit kits.

TOPICS: Security

A number of security experts warn that businesses which fail to update from Java 6 on their systems are vulnerable to attack.

The final fix for the out-of-date Java 6 platform was released by Oracle in April. The bug, CVE-2013-2463, is rated as "critical," and is described below:

"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D."

The vulnerability "can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets," according to Oracle's Java SE Critical Patch Update Advisory in June. The bug was assigned a score of ten out of ten in Oracle's Common Vulnerability Scoring System -- rating the flaw of extreme importance.

While Java 6 users remain vulnerable, the bug has been patched in Java 7. Java 6 has been retired, which means that updates are only available to paying clients.

Timo Hirvonen, a senior analyst at security firm F-Secure, told SCMagazine that the issue is now more important as a commercially available exploit kit is now taking advantage of Java 6's widespread use and security holes. The Neutrino exploit kit takes advantage of Java vulnerabilities, typically exploiting holes in order to download ransomware on to computer systems -- locking a computer until a fee is paid.

Neutrino can be rented by hackers for approximately $450 per month.

Hirvonen told the publication:

"An attacker can execute their own code on the system to infect it with malware. It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website."

Hirvonen is not the only security researcher concerned with the latest Java developments. Wolfgang Kandek, CTO of security firm Qualys, also believes that a significant number of users are vulnerable to the flaw as he writes in a recent blog post.

"It is, in essence, an implicit zero-day vulnerability as we know about its existence, but do not have a patch at hand," Kandek says. "We still see very high rates of Java 6 installed, accounting for just over half of Java users, which means many organisations are vulnerable. Organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their suppliers if an upgrade path exists."

One problem with updating, however, is that business-critical applications in ageing systems may not be able to function. Instead, corporations should consider whitelisting Java applets through browsers that support the service, including Internet Explorer and Google Chrome to mitigate the risk.

"So in essence they accept the risk of outdated Java in order to be able to continue to do business," said Kandek.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • For enterprises with a need to run old Java versions, there's Browsium Ion

    Have a look at the linked PDF document entitled "Managing Java Versions with Browsium Ion“.
    Rabid Howler Monkey
    • Java versions

      This vunerability was fixed in Java 7 update 25, Java 6 update 51, and Java 5.0 update 51. As the author suggests, these versions of Java 6 and 5 are NPA (Not Publically Available) and require the Java SE Commercial product from Oracle in order to access these versions. BTW - this isn't a new Oracle product, but a continuation for what Sun provided that was called Java for Business.
      • RE: Java versions

        Even if enterprises pony up for extended Java 5 and 6 support (a very good idea, IMO), there may still be a need for multiple Java versions to be installed on some fraction of enterprise desktops due to internal and/or external Java-based software requirements. By default, only one of the installed Java versions on the desktop at a time is available for Java applications and applets (via the web browser) and the user must have Administrative privileges to switch amongst multiple installed Java versions.

        Consider an example, Java 6 is required for a 3rd party Java applet served on the corporate Intranet, Java 5 is required for a Java applet served by an important customer' web site on the Internet and Java 7 is used for everything else. The need for multiple Java versions installed on the desktop is not exactly uncommon in enterprises. Browsium Ion helps to manage this situation transparently for users.
        Rabid Howler Monkey
        • Java versions+

          Yep, I think Browsium is a cool solution.

          A bit more I've learned about the Java SE Commercial product: it allows you access to early releases right now Java 7u25 is the latest public release, but there are early releases 7u25 b33 (windows) 7u25 b34 linux...and you can open Service Requests for Java issues and get hot fixes. There is also an entitlement to use the JRE Usage Tracker that sends information to a central server everytime the JRE is invoked.
  • java became junk once oracle took over it

    if you are still running java or windoze you had it comming!
    Astute people use android.
    LlNUX Geek
    • @LlNUX Geek

      Sun released Java SE 6, the topic of this article, in late 2006. Oracle acquired Sun in early 2008, almost two and a half years later.

      P.S. As far as I know, 'windoze' has not been trademarked. If you are quick, you can own it.
      Rabid Howler Monkey
      • Correction: Oracle acquired Sun in early 2008, almost one and a half year

        Rabid Howler Monkey
    • yes thats right becuse all the major software corps develope for linux!

      Actually no they don't. Adobe and its creative suite are a perfect example of functionality that can't be found on Linux and is also a major industry standard.

      I believe linux is better as an is, but it simple cannot yet compete with the more mainstream OSs.
    • Astute?? must mean norm to bums!

      Everyone buys android because it's cheap, just like everyone runs Windows cause it's cheap!
      sure they could run Linux but then half their needed business programs wouldn't be accessable! And before you say it....Wine can't run most Windows programs!!!! Only some!
      Windows will never die!!!! Everyone supports it by buying a new PC so there!!
    • Java is a great fraud foisted by Scot McNealy and Sun Micro Systems.

      This platform it a disaster with more security flaws than Windows and it will take years to fix the existing known flaws.

      Oracle is now the proud owner of this mess and are doing nothing but milking it for all they can get out of it. It will eventually be shuttered as a failed state like Blackberry.
  • Astute?

    Show me the Android version of SAP. Do you think everything runs on a phone?
  • more ZDNet drivel

    WTF is a "zero day flaw"?
    • Void

      You call the post "drivel," but don't know the definition of "zero day flaw."
      • Apparently neither does the author of the article

        The article states this vulnerability was fixed about 5 months ago. Why then is ZDnet reporting this as a 'zero day flaw' when it obviously existed for an even longer period than that? The fact that it's still being exploited in unpatched systems just makes it a regular 'flaw'. But I guess that doesn't make for nearly as sensational of a headline.
  • Zero day flaw

    A zero-day (or zero-hour or day zero) flaw or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability. This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (the software and/or strategies that use a security hole to carry out a successful attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.
  • OMG Nooooooo!

    Another exploit for Java? Tell me its not true! Hey, look on the bright side. Zero day, means you won't have to wait!
  • No Java here

    Java, write once, infect everyone. It is rare today to run into something that requires Java for what I do. We killed off Java years ago
  • Not Much of Anything

    "It is rare today to run into something that requires Java for what I do." I guess that means you don't do much of anything. I'm happy for you.
  • backwards compatability

    The biggest flaw in JAVA is the LACK OF BACKWARDS COMPATIBILITY.
    Meaning, if an application was written in Java 6, it will not work in Java 7.
    What a huge lack of foresight!
    There are dozens of other issues with Java, but that one is the major.