ID: IRCNE2013081941
Date: 2013-08-31
According to "zdnet", a number of security experts warn that businesses which fail to update from Java 6 on their systems are vulnerable to attack.
The final fix for the out-of-date Java 6 platform was released by Oracle in April. The bug, CVE-2013-2463, is rated as "critical".
"The vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets," according to Oracle's Java SE Critical Patch Update Advisory in June.
While Java 6 users remain vulnerable, the bug has been patched in Java 7. Java 6 has been retired, which means that updates are only available to paying clients.
Timo Hirvonen, a senior analyst at security firm F-Secure, told SCMagazine that the issue is now more important as a commercially available exploit kit is now taking advantage of Java 6's widespread use and security holes. The Neutrino exploit kit takes advantage of Java vulnerabilities, typically exploiting holes in order to download ransomware on to computer systems -- locking a computer until a fee is paid.
Hirvonen told the publication:
"An attacker can execute their own code on the system to infect it with malware. It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website."
One problem with updating, however, is that business-critical applications in ageing systems may not be able to function. Instead, corporations should consider whitelisting Java applets through browsers that support the service, including Internet Explorer and Google Chrome to mitigate the risk.
"So in essence they accept the risk of outdated Java in order to be able to continue to do business," said Kandek.
- 2