Many firms are at risk of cyber attacks exploiting an unpatched security flaw in Java 6, warns security firm Qualys.
Oracle released a critical patch update for vulnerability CVE-2013-2463 in Java 7, but there is no patch available for Java 6 as reached end-of-life in April 2013.
“It is, in essence, an implicit zero-day vulnerability as we know about its existence, but do not have a patch at hand,” said Wolfgang Kandek, CTO of Qualys.
Although this happens each time a software package loses support, he said what makes this a particular concern is that F-Secure has seen exploits in Java 6 in the wild.
Researchers have also seen the vulnerability included in the Neutrino exploit kit, which Kandek said guarantees that it will find widespread adoption.
“We still see very high rates of Java 6 installed, accounting for just over half of Java users, which means many organisations are vulnerable,” he said.
Title goes here
Read more on Java security
- How to secure Java amid growing Java security vulnerabilities
- Java security problems: Is disabling Java the answer?
- Java zero-day vulnerability hits Metasploit and Blackhole
- Security researchers spot new zero-day Java vulnerability
- Java malware, fileless malware pose threats to desktop security
- Consider disabling Java as malware targets JRE vulnerabilities
Kandek attributes this high level of use to the lock-in that organisations experience when they run software applications that require the use of Java 6.
“Organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their suppliers if an upgrade path exists,” he said.
However, many organisations are unable to update or disable Java because it would affect business critical applications.
“So in essence they accept the risk of outdated Java in order to be able to continue to do business,” said Kandek.
For users of Java 6, he said it might be useful to look into the whitelisting of Java applets.
“Internet Explorer supports this out of the box through its concept of 'Zones' and while it is not a perfect solution, it should deal with the most common attack vector - an applet embedded in a webpage,” he said.