Java 6 zero-day added to Neutrino exploit kit

By

Half of users still vulnerable.

A critical vulnerability impacting the out-of-date but popular Java 6 platform has been added to the Neutrino commercially available exploit kit.

Java 6 zero-day added to Neutrino exploit kit

F-Secure senior analyst Timo Hirvonen spotted the flaw (CVE-2013-2463) exploited in the wild.

“An attacker can execute their own code on the system to infect it with malware,” Hirvonen said.

“It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website,” and unknowingly install the exploit kit, a process known as drive-by download.

The exploit's proof-of-concept was made public last week prior to in-the-wild attacks surfacing on Monday, he said.

Users who upgraded to the latest Java version, 7u25 released in June, were safe against the threat.

Oracle, which maintains Java, dispatched its final fix for Java 6 in April, and now only organisations with support contracts have access to updates.

According to the company's June critical patch update advisory, the vulnerability was assigned the top score of 10 on Oracle's implementation of the Common Vulnerability Scoring System.

The vulnerability lies in Java Runtime Environment's 2D sub-component, which is used to make two-dimensional graphics.

Qualys chief technology officer Wolfgang Kandek said the use of Java 6 was still prevalent, opening up a significant number of users to the threat.

After analysing millions of endpoints throughout May, June and July, the firm found that about half of the users were still running Java 6 installations.

While the safest option was to patch, organisations concerned about disrupting mission-critical applications could disable or update Java 6 and should consider whitelisting Java applets through their browsers, a feature supported by Internet Explorer and Google Chrome, Kandek said.

"[Java 6] is very widely used, and since it is out of support since April, there's no way to fix this other than to go to the Java 7 version,” Kandek said.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
exploitsjavapatchingsecurityvulnerabilities

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?