A critical vulnerability impacting the out-of-date but popular Java 6 platform has been added to the Neutrino commercially available exploit kit.
F-Secure senior analyst Timo Hirvonen spotted the flaw (CVE-2013-2463) exploited in the wild.
“An attacker can execute their own code on the system to infect it with malware,” Hirvonen said.
“It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website,” and unknowingly install the exploit kit, a process known as drive-by download.
The exploit's proof-of-concept was made public last week prior to in-the-wild attacks surfacing on Monday, he said.
Users who upgraded to the latest Java version, 7u25 released in June, were safe against the threat.
Oracle, which maintains Java, dispatched its final fix for Java 6 in April, and now only organisations with support contracts have access to updates.
According to the company's June critical patch update advisory, the vulnerability was assigned the top score of 10 on Oracle's implementation of the Common Vulnerability Scoring System.
The vulnerability lies in Java Runtime Environment's 2D sub-component, which is used to make two-dimensional graphics.
Qualys chief technology officer Wolfgang Kandek said the use of Java 6 was still prevalent, opening up a significant number of users to the threat.
After analysing millions of endpoints throughout May, June and July, the firm found that about half of the users were still running Java 6 installations.
While the safest option was to patch, organisations concerned about disrupting mission-critical applications could disable or update Java 6 and should consider whitelisting Java applets through their browsers, a feature supported by Internet Explorer and Google Chrome, Kandek said.
"[Java 6] is very widely used, and since it is out of support since April, there's no way to fix this other than to go to the Java 7 version,” Kandek said.