Matt Posted August 28, 2013 Report Posted August 28, 2013 SECURITY RESEARCHERS are urging users of Oracle's Java 6 software to upgrade to Java 7 as soon as possible to avoid becoming the victims of active cyber attacks.F-secure senior analyst Timo Hirvonen warned about the exploit this weekend over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463.CVE-2013-2463 was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 has the same vulnerability, as Oracle acknowledged in the update, but since Java 6 became unsupported in April 2013, there is no patch for the Java 6 vulnerability.Cloud security provider Qualys described the bug as an "implicit zero-day vulnerability". The firm's CTO Wolfgang Kandek said he had seen it included in the spreading Neutrino exploit kit threat, which "guarantees that it will find widespread adoption"."We know about its existence, but do not have a patch at hand," Kandek said in a blog post. "This happens each time a software package loses support and we track these instances in Qualysguard with our 'EOL/Obsolete' detections, in this case."In addition, we still see very high rates of Java 6 installed, a bit over 50 percent, which means many organisations are vulnerable."Like F-secure, Kandek recommended that any users with Java 6 upgrade to Java 7 as soon as they can."Without doubt, organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their vendors if an upgrade path exists," he added. µSource TheInquirer.Net Quote
