The vulnerability of Java 6 has been the target for hackers recently, exploiting a bug in the platform and has been added to the commercially available Neutrino exploit kit.
Qualys chief technology officer Wolfgang Kandek said the use of Java 6 is still prevalent, opening up a significant number of users to the threat. F-Secure senior analyst Timo Hirvonen found an exploit in-the-wild targeting unpatched Java 6 (CVE-2013-2463).
“It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website,” Hirvonen said. The exploit’s proof-of-concept was made public last week prior to in-the-wild attacks surfacing on Monday. Since Oracle no longer support Java 6, they have not stated any intention to patch the said flaw.
The Neutrino exploit kit was first spotted in March 2013, when it was found to serve victims with ransomware, freezing them until affected users pay a fee or “ransom”. The vulnerability lies in Java Runtime Environment’s 2D sub-component, which is used to make two-dimensional graphics.
Users are encouraged to update to the latest version of Java. “Java 6 is very widely used, and since it is out of support since April, there’s no way to fix this other than to go to the Java 7 version,” said Wolfgang Kandek, CTO of cloud security firm Qualys.