Many firms vulnerable to Java 6 flaw, warns Qualys


Many firms vulnerable to Java 6 flaw, warns Qualys

Warwick Ashford

Many firms are at risk of cyber attacks exploiting an unpatched security flaw in Java 6, warns security firm Qualys.

Oracle released a critical patch update for vulnerability CVE-2013-2463 in Java 7, but there is no patch available for Java 6 as reached end-of-life in April 2013.


“It is, in essence, an implicit zero-day vulnerability as we know about its existence, but do not have a patch at hand,” said Wolfgang Kandek, CTO of Qualys.

Although this happens each time a software package loses support, he said what makes this a particular concern is that F-Secure has seen exploits in Java 6 in the wild.

Researchers have also seen the vulnerability included in the Neutrino exploit kit, which Kandek said guarantees that it will find widespread adoption.

“We still see very high rates of Java 6 installed, accounting for just over half of Java users, which means many organisations are vulnerable,” he said.

Kandek attributes this high level of use to the lock-in that organisations experience when they run software applications that require the use of Java 6.

“Organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their suppliers if an upgrade path exists,” he said.

However, many organisations are unable to update or disable Java because it would affect business critical applications.

“So in essence they accept the risk of outdated Java in order to be able to continue to do business,” said Kandek.

For users of Java 6, he said it might be useful to look into the whitelisting of Java applets.

“Internet Explorer supports this out of the box through its concept of 'Zones' and while it is not a perfect solution, it should deal with the most common attack vector - an applet embedded in a webpage,” he said.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy