New attacks on Java 6 surface, but don’t expect a patch unless you pay Oracle

Hackers are using a new exploit for a bug in Java 6 to attack victims, but don’t expect a patch any time soon -- unless you decide to pay Oracle for long term Java support.

Now is probably a good time for nearly anyone still running Java 6 to uninstall Java or upgrade to Java 7, according to F-Secure security analyst Timo Hirvonen, who warned on Monday that hackers were exploiting the flaw CVE-2013-2463 in Java 6.

A new round of attacks on Java 6 in web browsers follow a proof of concept (PoC) exploit for the flaw that was published last week, according to Hirvonen.

“PoC for CVE-2013-2463 was released last week, now it's exploited in the wild. No patch for JRE6... Uninstall or upgrade to JRE7 update 25,” Hirvonen tweeted.

In a later tweet, he noted that the exploit was integrated into the Neutrino exploit kit -- one of dozens of kits for sale that bundle exploits for bugs in popular software to net victims.

Hirvonen’s advice to either upgrade to the latest Java 7 or uninstall Java (if the person is running Java 6) is based on Oracle’s decision not to release new security updates for Java 6 to the public after moving it to “end of public updates” status this April.

Like many of the 40 Java flaws that Oracle acknowledged in its June update, the bug being exploited by Neutrino actually affected Java 7 Update 21 (and earlier) as well as Java 6 Update 45 (and earlier), and was also exploitable via the Java browser plugin.

But while anyone using Java 7 could move to Java 7 Update 25, only customers paying Oracle for long term Java support can access and install Java 6 Update 51 -- the latest Java 6 update.

Enterprise customers on “premium support” can expect Java 6 updates through to December this year, while Oracle’s “Extended Support” customers will receive updates to December 2016 and “Sustaining Support” customers can expect updates indefinitely.

As for the exploit kit Neutrino, CVE-2013-2463 is likely useful because it can, as a new exploit, avoid setting off alarms in antivirus products, at least in the short term.

According to independent security researcher Kafeine, the exploit for CVE-2013-2463 now bundled in Neutrino replaced an exploit for the Java bug CVE-2013-2465, which Oracle also released Java 6 (for some) and 7 (for all) patches for in its June update.

Microsoft may head into similar territory as it heads toward the end of Windows XP security updates for the public from April 8, 2014. Microsoft will continue to provide critical patches for Windows XP but they will be restricted to customers on its “Custom Support” contract.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2013 IDG Communications, Inc.

What is security's role in digital transformation?