Java 6 users vulnerable to zero day flaw, security experts warn

If businesses have failed to update the widely used but out-of-date Java 6 platform, they may be at heightened risk of cyberattack thanks to additions to commercial exploit kits.
Written by Charlie Osborne, Contributing Writer

A number of security experts warn that businesses which fail to update from Java 6 on their systems are vulnerable to attack.

The final fix for the out-of-date Java 6 platform was released by Oracle in April. The bug, CVE-2013-2463, is rated as "critical," and is described below:

"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D."

The vulnerability "can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets," according to Oracle's Java SE Critical Patch Update Advisory in June. The bug was assigned a score of ten out of ten in Oracle's Common Vulnerability Scoring System -- rating the flaw of extreme importance.

While Java 6 users remain vulnerable, the bug has been patched in Java 7. Java 6 has been retired, which means that updates are only available to paying clients.

Timo Hirvonen, a senior analyst at security firm F-Secure, told SCMagazine that the issue is now more important as a commercially available exploit kit is now taking advantage of Java 6's widespread use and security holes. The Neutrino exploit kit takes advantage of Java vulnerabilities, typically exploiting holes in order to download ransomware on to computer systems -- locking a computer until a fee is paid.

Neutrino can be rented by hackers for approximately $450 per month.

Hirvonen told the publication:

"An attacker can execute their own code on the system to infect it with malware. It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website."

Hirvonen is not the only security researcher concerned with the latest Java developments. Wolfgang Kandek, CTO of security firm Qualys, also believes that a significant number of users are vulnerable to the flaw as he writes in a recent blog post.

"It is, in essence, an implicit zero-day vulnerability as we know about its existence, but do not have a patch at hand," Kandek says. "We still see very high rates of Java 6 installed, accounting for just over half of Java users, which means many organisations are vulnerable. Organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their suppliers if an upgrade path exists."

One problem with updating, however, is that business-critical applications in ageing systems may not be able to function. Instead, corporations should consider whitelisting Java applets through browsers that support the service, including Internet Explorer and Google Chrome to mitigate the risk.

"So in essence they accept the risk of outdated Java in order to be able to continue to do business," said Kandek.

Editorial standards