A Zero Day vulnerability in Java 6 is suffering exploitation and Oracle is aware of the hole but, since Java 6 is no longer supported, the company will not patch the issue.
F-Secure’s Timo Hirvonen first spotted the exploit a few days after the proof-of-concept for Java 6 (CVE-2013-2463) became public. Hirvonen added the Java Zero Day exploit is now a part of the Neutrino exploit kit.
That means there will be a widespread adoption.
“In addition, we still see very high rates of Java 6 installed (a bit over 50 percent), which means many organizations are vulnerable. We attribute this to the lock-in that organizations experience when they run software applications that require the use of Java 6,” said Wolfgang Kandek, CTO of Qualys.
Users should update their Java installations to the latest revision of version 7, which does not suffer from the issue. Users who don’t need Java in their everyday tasks should uninstall the software altogether.
Avira Security Expert and Product Manager Sorin Mustaca said this just follows along the path of the “sad state of Java security.”
Mustaca said, while it most likely won’t happen, Oracle should make the software open source to address current security problems.
“Making it open source would create an entirely new ecosystem with companies that can take care of the legacy Java versions like Java older than v6,” Mustaca said.
Other experts argue this might not be the best option, considering there already are open source versions of Java, and they haven’t led to any major improvements.
“Comprehensive security review of the platform is what Java needs in the first place,” noted Adam Gowdiak, chief executive of Security Explorations, a company that focuses on Java vulnerabilities.