14 DAY TRIAL // A critical zero-day vulnerability in Java 6 (CVE-2013-2463) is currently being exploited in the wild. Oracle is aware of the security hole but, since Java 6 is no longer supported, the company will not patch the issue.
The exploit was first spotted by F-Secure’s Timo Hirvonen, a few days after the proof-of-concept for CVE-2013-2463 was made public. Furthermore, the researcher says the Java zero-day exploit has been integrated into the Neutrino exploit kit.
Experts from Qualys warn that this guarantees a widespread adoption.
“In addition, we still see very high rates of Java 6 installed (a bit over 50%), which means many organizations are vulnerable. We attribute this to the lock-in that organizations experience when they run software applications that require the use of Java 6,” Wolfgang Kandek, CTO of Qualys, noted.
Internet users are advised to update their Java installations to the latest revision of version 7, which isn’t impacted by the issue. Users who don’t need Java in their everyday tasks should uninstall the software altogether.
In a recent blog post, Avira Security Expert and Product Manager Sorin Mustaca detailed the “sad state of Java security.”
The expert believes Oracle should make the software open source to address current security problems.
“Making it open source would create an entirely new ecosystem with companies that can take care of the legacy Java versions like Java older than v6,” Mustaca wrote.
Other experts argue that this might not be the best option, considering that there already are open source versions of Java, and they haven’t led to any major improvements.
“Comprehensive security review of the platform is what Java needs in the first place,” noted Adam Gowdiak, CEO of Security Explorations, a company that has focused much of its activity on Java vulnerabilities.