Many firms are at risk of cyber attacks exploiting an unpatched security flaw in Java 6, warns security firm Qualys.
Oracle released a critical patch update for vulnerability CVE-2013-2463 in Java 7, but there is no patch available for Java 6 as reached end-of-life in April 2013.
“It is, in essence, an implicit zero-day vulnerability as we know about its existence, but do not have a patch at hand,” said Wolfgang Kandek, CTO of Qualys.
Although this happens each time a software package loses support, he said what makes this a particular concern is that F-Secure has seen exploits in Java 6 in the wild.
Researchers have also seen the vulnerability included in the Neutrino exploit kit, which Kandek said guarantees that it will find widespread adoption.
“We still see very high rates of Java 6 installed, accounting for just over half of Java users, which means many organisations are vulnerable,” he said.
Kandek attributes this high level of use to the lock-in that organisations experience when they run software applications that require the use of Java 6.
“Organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their suppliers if an upgrade path exists,” he said.
However, many organisations are unable to update or disable Java because it would affect business critical applications.
“So in essence they accept the risk of outdated Java in order to be able to continue to do business,” said Kandek.
For users of Java 6, he said it might be useful to look into the whitelisting of Java applets.
“Internet Explorer supports this out of the box through its concept of ‘Zones’ and while it is not a perfect solution, it should deal with the most common attack vector – an applet embedded in a webpage,” he said.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy